Back

Provide the data subject with the name, title, and address to whom complaints are forwarded.


CONTROL ID
00395
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy dispute resolution program., CC ID: 12526

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • where section 24(3)(e) is applicable, of the name and address of the other data user concerned. (Part 5 Division 2 Section 25(1)(b), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • of the data subject's right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data; (Part II Division 1 7. (1) (d), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Where the data subject is dissatisfied with the failure of the data user to comply with the notice, whether in whole or in part, under subsection (1), the data subject may submit an application to the Commissioner to require the data user to comply with the notice. (Part II Division 4 43. (2), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Where the data subject is dissatisfied with the failure of the data user to comply with the data subject notice, whether in whole or in part, under paragraph (3)(b), the data subject may submit an application to the Commissioner to require the data user to comply with the data subject notice. (Part II Division 4 42. (4), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Departments with personal information protection duties shall publish their contact information for receiving complaints and reports. (Article 65 ¶ 2, Personal Information Protection Law of the People's Republic of China)
  • The information commissioner must be satisfied that the privacy code provides for appointing an independent adjudicator to whom complaints may be made before approving a privacy code that includes procedures for making and dealing with complaints. (§ 18BB(3)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • that the APP privacy policy of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint; (Schedule 1 Part 2 Clause 5 Subclause 5.2(h), Australian Privacy Act 1988, Compilation No. 77)
  • the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner. (§ 44(1)(e), UK Data Protection Act 2018 Chapter 12)
  • the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner; (§ 45(2)(f), UK Data Protection Act 2018 Chapter 12)
  • the right to lodge a complaint with the Commissioner and the contact details of the Commissioner; (§ 93(1)(e), UK Data Protection Act 2018 Chapter 12)
  • the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner. (§ 44(1)(e), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner; (§ 45(2)(f), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • the right to lodge a complaint with the Commissioner and the contact details of the Commissioner; (§ 93(1)(e), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Data subjects are informed, in writing, about the reason a request for correction of PI was denied and how they may appeal. (A5.2 Communicates denial of correction requests, Privacy Management Framework, Updated March 1, 2020)
  • Data subjects are informed about how to contact the entity with inquiries, complaints and disputes. (M9.1 Communicates to data subjects, Privacy Management Framework, Updated March 1, 2020)
  • The organization should provide a mechanism for PII principals to object to the processing of their PII. (§ 7.3.5 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal. (P5.2 ¶ 2 Bullet 4 Communicates Denial of Correction Requests, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Data subjects or data controllers are informed about how to contact the entity with inquiries, complaints, and disputes. (P8.1 ¶ 2 Bullet 1 Communicates to Data Subjects or Data Controllers, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded; (Schedule 1 4.8.2(a), Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • The organization must make available the name or title and the address of the person to whom inquiries or complaints regarding the organization's practices and policies may be forwarded. (Sched 1 Clause 4.8.2(a), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • Public companies, in their area of expertise, will disseminate the name, address, and email address of the public servants who are responsible for receiving and handling public information requests. (Art 15.XIII, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • The privacy policy should include a description of how individuals can make complaints, inquiries, and disputes. (Generally Accepted Privacy Principles and Criteria § 10.1.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy policy should include how to contact the organization for complaints and issues. (Table Ref 2.1.1.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should provide a process for individuals to notify and challenge conflicts in their preferences. (Table Ref 3.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have a designated Privacy Officer to receive access requests or complaints about personal information it has transferred. (Table Ref 7.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The privacy policy should include the contact information to direct complaints to. (Table Ref 10.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal. (P5.2 Communicates Denial of Correction Requests, Trust Services Criteria)
  • Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. (P8.1 Communicates to Data Subjects, Trust Services Criteria)
  • Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes. (P8.1 ¶ 2 Bullet 1 Communicates to Data Subjects, Trust Services Criteria, (includes March 2020 updates))
  • Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal. (P5.2 ¶ 2 Bullet 3 Communicates Denial of Correction Requests, Trust Services Criteria, (includes March 2020 updates))
  • the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution p… (II.1.a.ix., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should red… (III.8.a.iii., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, (II.1.a.v., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. (III.8.e.ii., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, (§ II.1.a.v., EU-U.S. Privacy Shield Framework Principles)
  • the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution p… (§ II.1.a.ix., EU-U.S. Privacy Shield Framework Principles)
  • a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield; (§ III.6.b.iii.3., EU-U.S. Privacy Shield Framework Principles)
  • Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should red… (§ III.8.a.iii., EU-U.S. Privacy Shield Framework Principles)
  • An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. (§ III.8.e.ii., EU-U.S. Privacy Shield Framework Principles)
  • An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. (iii.8.e.ii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the FDPIC, (2) an alternative dispute resolution provider based in Switzerland, or (3) an alternative dispute resolution provider based i… (ii.1.a.ix., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • how to contact the organization with any inquiries or complaints, including any relevant establishment in Switzerland that can respond to such inquiries or complaints, (ii.1.a.v., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should red… (iii.8.a.iii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution p… (II.1.a.ix., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should red… (III.8.a.iii., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, (II.1.a.v., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. (III.8.e.ii., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization must notify individuals about how to contact the organization to complain or ask questions. (NOTICE, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The self-certification letter for the safe harbor should contain a description of the privacy policy that includes a Point Of Contact to handle complaints and access requests. (FAQ-Self-Certification ¶ 2.3.c, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Notices must contain a statement about individuals having the right to complain to the covered entity and the Secretary of Health and Human Resources, if they believe their privacy rights have been violated, how to file a complaint, and they will not be retaliated against for filing a complaint. (§ 164.520(b)(1)(vi), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A contact office or person must be designated to receive complaints and to provide further information about items in the notice. (§ 164.530(a)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Implementation specification: Documentation. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j). (§ 164.526(f), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by §164.520. (§ 164.530(a)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person… (§ 164.526(d)(1)(iv), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A description of how the individual may complain to the covered entity pursuant to the complaint procedures in §164.530(d) or to the Secretary pursuant to the procedures in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in… (§ 164.524(d)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Add to the home page of its Web site a link either to a page titled "Your Privacy Rights" or add the words "Your Privacy Rights" to the home page's link to the business's privacy policy. If the business elects to add the words "Your Privacy Rights" to the link to the business's privacy policy, the w… (§ 1798.83(b)(1)(B), California Civil Code Title 1.81 Customer Records § 1798.80-1798.84)