Back

Include other organizations that personal data is being disclosed to in the privacy policy.


CONTROL ID
00409
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define what is included in the privacy policy., CC ID: 00404

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the person… (Article 27-2(2)(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); (Article 27-2(2)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Provision of personal information to a third party (if applicable); (Article 30(1) (3), Personal Information Protection Act)
  • Outsourcing of personal information processing (if applicable); (Article 30(1) (4), Personal Information Protection Act)
  • A recordkeeper shall maintain a record that lists the persons who are entitled to access the records and the conditions for accessing the records. (§ 14 Prin. 5(3)(e), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A recordkeeper who possesses or controls records containing personal information shall not disclose the information to anyone other than the concerned individual, unless the concerned individual is reasonably made aware that the information is usually passed to that person, body, or agency. (§ 14 Prin. 11(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • the purposes for which the entity collects, holds, uses and discloses personal information; (Schedule 1 Part 1 Clause 1 Subclause 1.4(c), Australian Privacy Act 1988, Compilation No. 77)
  • whether the entity is likely to disclose personal information to overseas recipients; (Schedule 1 Part 1 Clause 1 Subclause 1.4(f), Australian Privacy Act 1988, Compilation No. 77)
  • if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy. (Schedule 1 Part 1 Clause 1 Subclause 1.4(g), Australian Privacy Act 1988, Compilation No. 77)
  • if the APP entity is likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them. (Schedule 1 Part 2 Clause 5 Subclause 5.2(j), Australian Privacy Act 1988, Compilation No. 77)
  • A list of other organizations the collected information is shared with should be included in the privacy policy. (Pg 27, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The privacy notice should identify the third parties that the organization discloses personal information to. (Table Ref 7.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Description of parties subject to exceptions. If a licensee discloses nonpublic personal financial information as authorized under Sections 16 and 17, the licensee is not required to list those exceptions in the initial or annual privacy notices required by Sections 5 and 6. When describing the cate… (Section 7.B, Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and (Section 7.E(1), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under Sections 16 and 17; (Section 7.A(3), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under Section 15 (and no other exception in Sections 16 and 17 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parti… (Section 7.A(5), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • To a participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program. (Section 14.B(3), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers,… (Section 7.A(4), Privacy of Consumer Financial and Health Information Regulation, NAIC MDL-672, Q2 2017)
  • The information practices notice must state whether personal information will be disclosed to third parties, and if so, the types of businesses to which the information will be disclosed, and the purposes for which that type of information is used; whether the third parties have agreed to maintain t… (§ 312.4(b)(2)(iv), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • (§ 551(a)(1)(B), Cable Communications Privacy Act Title 47 § 551)
  • disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed; (§ 503(a)(1), GLB Gramm-Leach-Bliley Act (GLB), Title V, Nov. 12, 1999)
  • The organization describes whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing. (TR-1b.(iii), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (TR-1b.(iii), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service. (§ 22575(b)(6), California Civil Code, Division 8, Chapter 22, § 22575 to 22579 -Internet Privacy Requirements)
  • Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may shar… (§ 22575(b)(1), California Civil Code, Division 8, Chapter 22, § 22575 to 22579 -Internet Privacy Requirements)
  • Identify the categories of personally identifiable information that the operator collects through the internet website, online or cloud computing service, online application, or mobile application about users of its commercial internet website, online or cloud computing service, online application, … (§ 1205C(b)(1), Delaware Code, Title 6, Commerce and Trade, Subtitle II, Other Laws Relating to Commerce and Trade, Chapter 12C, Online and Personal Privacy Protection)