Back

Require data controllers to be accountable for their actions.


CONTROL ID
00470
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a personal data accountability program., CC ID: 13432

This Control has the following implementation support Control(s):
  • Bind data controllers to secrecy concerning the performance of their duties., CC ID: 12610
  • Notify the supervisory authority., CC ID: 00472
  • Cooperate with Data Protection Authorities., CC ID: 06870
  • Submit a safe harbor self-certification letter., CC ID: 06871


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • controls the use of the data in such a way as to prohibit the data user who does hold the data from complying (whether in whole or in part) with a data access request which relates to the data, shall be deemed to hold the data, and the provisions of this Ordinance (including this section) shall be c… (Part 5 Division 1 Section 18(4)(b), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • controls the processing of the data in such a way as to prohibit the data user who does hold the data from complying (whether in whole or in part) with section 23(1) in relation to a data correction request which relates to the data, shall be deemed to be a data user to whom such a request may be ma… (Part 5 Division 2 Section 22(2)(b), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • "Authorized personal information protection organization" or other names that might be mistaken for this cannot be used by business operators that are not authorized personal information protection organizations. (Art 45, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • Where a consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by her to the Data Principal and consent was given by such Data Principal to the Data Fid… (§ 6.(10), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • Users must be held accountable for data they transfer from and to a system. (Control: 0661, Australian Government Information Security Manual: Controls)
  • The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). (Art. 5.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. (Art. 12.5. ¶ 1, Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of … (Art. 26.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly re… (Art. 38.3., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Telecommunications operators are required to disclose identification data and geographic information to emergency personnel. (§ 35(1), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • Data controllers should be accountable for complying with the implemented measures to give effect to these principles. (¶ 14, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • Additional protections apply in the case of an onward transfer to a third party agent (i.e. a processor). In such a case, the U.S. organisation must ensure that the agent only acts on its instructions and take reasonable and appropriate steps (i) to ensure that the agent effectively processes the pe… (2.2.6 (43), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. (Privacy Principle 1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • HOLD THE STEWARDS OF OUR DATA ACCOUNTABLE (STRATEGIC OBJECTIVE 3.1, National Cybersecurity Strategy)
  • HOLD THE STEWARDS OF OUR DATA ACCOUNTABLE (STRATEGIC OBJECTIVE 3.1, National Cybersecurity Strategy (Condensed))