Back

Develop remedies and sanctions for privacy policy violations.


CONTROL ID
00474
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Define the behaviors and actions that are included in privacy rights violations., CC ID: 14852
  • Implement procedures to file privacy rights violation complaints., CC ID: 00476
  • Change or destroy any personal data that is incorrect., CC ID: 00462
  • Establish, implement, and maintain a privacy dispute resolution program., CC ID: 12526
  • Order the cessation of data processing when a violation of the privacy policy is detected., CC ID: 00475
  • Investigate privacy rights violation complaints., CC ID: 00480
  • Create an investigative report in regards to a privacy rights violation complaint., CC ID: 00495
  • Respond to an investigative report in regards to a privacy rights violation complaint., CC ID: 00496
  • Define the available administrative remedies in regards to a privacy rights violation complaint., CC ID: 00497
  • Destroy personal data that breaches privacy after the privacy breach has been detected., CC ID: 00503
  • Define the organization's liability based on the applicable law., CC ID: 00504
  • Define the appeal process based on the applicable law., CC ID: 00506
  • Provide notice of proposed penalties., CC ID: 06216
  • Notify the public and other agencies after a penalty becomes final., CC ID: 06217
  • Refrain from subjecting individuals to retaliation or intimidation after a complaint is created., CC ID: 06218


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Art 9: The State must ensure complaints from affected persons to business operators about the handling of personal information are appropriately and promptly processed. Art 13: Local governments must attempt to mediate complaints and take necessary measures to ensure any complaints about handling p… (Art 9, Art 13, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of su… (§ 13.(1), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). (Article 50-7(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discre… (Article 44-3(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Where a privacy officer becomes aware of any violation of this Act or other relevant statutes in relation to the protection of personal information, the privacy officer shall take corrective measures immediately, and shall report such corrective measures to the head of the institution or organizatio… (Article 31(4), Personal Information Protection Act)
  • (Ch 4, Taiwan Computer-Processed Personal Data Protection Law 1995)
  • (Pg 7, Australia Spam Act 2003: A practical guide for business)
  • (§ 84, New Zealand Privacy Act 1993)
  • The exercise of rights in civil judicial proceedings, administrative proceedings, and criminal proceedings will be provided in a special Act. (Art 20(2), Czech Republic Personal Data Protection Act, April 4, 2000)
  • Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within thre… (Art. 78.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The supervisory authority may instruct that measures be taken to correct any technical or organizational irregularities discovered to guarantee data protection within the scope of the requirements in Section 9 of this Act. For grave irregularities, especially for privacy impairments, the supervisory… (§ 38(5), German Federal Data Protection Act, September 14, 1994)
  • The exemption of making a declaration as required in Article 22, for processing for professional journalism, is conditional on the appointment by the data controller of a data protection officer who belongs to a media undertaking, maintains a processing register, and independently ensures the proper… (Art 67, France Data Processing, Data Files and Individual Liberties)
  • If a data controller or processor violates this Act or instructions or rules issued by the Data Protection Authority while processing personal data, the data controller must compensate the data subject for any financial damages suffered. The data controller will not be required to pay compensation, … (Art 43, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • Persons who, without a reasonable excuse, refuses or fails to comply with an enforcement notice requirement, requirements in an information notice, or furnishes false or misleading information to the Commissioner will be guilty of an offense. Persons who violate sections 12A(7) or 21(1) of this Act … (§ 10(9), § 12(5), § 12A(7), § 19(6), § 20(2), § 21(2), § 22(1), § 24(6), Ireland Consolidated Data Protection Acts of 1988 and 2003)
  • § 130.6 For persistent breaches of the provisions of Section 130, the Guarantee may order the electronic communications services provider to implement filtering procedures or other measures with regard to electronic contact details for electronic mail used to send the communications. § 141 Data su… (§ 130.6, § 141, Italy Personal Data Protection Code)
  • (Art 29, Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data)
  • If the President of the Court of First Instance has reason to believe that evidence for a claim might disappear or be concealed, he/she, after receipt of a signed ex parte application, must order measures to be taken to ensure the evidence is not concealed or does not disappear. (Art 14.7, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • An individual has the right to file a complaint to the Comissão Nacional de Protecção de Dados (CNPD) to get recourse by legal and administrative means to guarantee compliance with legally required personal data protection. (Art 33, Portuguese Act on the Protection of Personal Data 67/98)
  • The entity has procedures for identifying and addressing instances when non-compliance with information privacy policies and procedures are identified. (M1.2 Policy compliance, Privacy Management Framework, Updated March 1, 2020)
  • Ongoing procedures are performed for monitoring the effectiveness of controls over PI and for taking timely corrective actions when necessary. (M9.1 Performs ongoing monitoring, Privacy Management Framework, Updated March 1, 2020)
  • In domestically implementing the principles of Parts Two and Three, Member countries should establish administrative, legal, or other procedures or institutions to protect privacy and individual liberties with respect to personal data. Member countries should have adequate remedies and sanctions in … (¶ 19(d), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • Secondly, individuals can also bring a complaint directly to the independent dispute resolution body (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropri… (2.4 (70), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In accordance with authority provided by the Clinger-Cohen Act (P.L. 104-106, Division E) and the Computer Security Act of 1987 (P.L. 100-235), the Office of Management and Budget (OMB) issued Circular No. A-130 to establish general binding guidance that applies to all federal agencies (including la… (3.1.1.2 (102), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Criminal or other penalties, along with appropriate remedies, should be developed for violations of the national law implementing the principles of the United Nations guidelines concerning computerized personal data files. (A.8, UN Guidelines for the Regulation of Computerized Personal Data Files (1990))
  • Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. (P8.1 ¶ 2 Bullet 6 Performs Ongoing Monitoring, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • A sanctions process is defined, and applied as needed, when an employee violates the entity's privacy policies or when an employee's negligent behavior causes a privacy incident. (CC 1.5 ¶ 4 Bullet 1 Takes Disciplinary Actions, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements. (CC7.4 ¶ 4 Bullet 3 Application of Sanctions, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Appellate reviews will be handled in accordance with the deadlines, requirements, and terms in the Transparency and Access to Public Information Law of the Federal District. (Art 40, The Personal Data Protection Law for the Federal District (Mexico City))
  • The organization should take action when it has knowledge that a third party is using or disclosing personal information in violation of the organization's privacy policy or the contractual agreement. (Generally Accepted Privacy Principles and Criteria § 7.2.4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Remediation plans are developed and implemented when problems are identified. (Generally Accepted Privacy Principles and Criteria § 10.2.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should take action when it has knowledge that a third party is using or disclosing personal information in violation of the organization's privacy policy or the contractual agreement. (Table Ref 7.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented procedures to follow for communicating and resolving complaints. (Table Ref 10.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented procedures for communicating the available remedies to individuals. (Table Ref 10.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. (P8.1 Performs Ongoing Monitoring, Trust Services Criteria)
  • Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. (P8.1 ¶ 2 Bullet 6 Performs Ongoing Monitoring, Trust Services Criteria, (includes March 2020 updates))
  • The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance with the entity’s privacy commitments and system requirements; corrections and other nece… (P8.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • A Medicare Advantage (MA) organization must establish meaningful procedures for the timely hearing and resolving of grievances. (§ 422.564(a), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • § 312.9: A violation of regulations under § 6502(a), subject to § 6503 and § 6505 of the Children's Online Privacy Protection Act of 1998, shall be treated as a violation of the rule that defines unfair or deceptive acts or practices under § 18(a)(1)(B) of the Federal Trade Commission Act. § 3… (§ 312.9, § 312.10(b)(4), 16 CFR Part 312, Children's Online Privacy Protection Rule)
  • Any person may bring civil action in a United Stated district court for a violation of this section. (§ 2710(c)(1), 18 USC § 2710, Wrongful disclosure of video tape rental or sale records)
  • (§ 551(f), Cable Communications Privacy Act Title 47 § 551)
  • Failure by a creditor to comply with sections 202.6(b)(6), 202.9, 202.10, 202.12, or 202.13 is not a violation, if it is a result of an inadvertent error. The creditor must correct any error discovered under sections 202.9 and 202.10 as soon as possible. Should a creditor obtain inadvertently the mo… (§ 202.16(c), Equal Credit Opportunity Act (Reg. B))
  • The Federal Trade Commission, the Federal banking agencies, and the National Credit Union Administration have been tasked with preparing a summary of procedures consumers can use to remedy fraud or identity theft involving credit, electronic fund transfers, or an account or transaction with a financ… (§ 151, § 153, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • The Federal Trade Commission, the Federal banking agencies, and the National Credit Union Administration have been tasked with preparing a summary of procedures consumers can use to remedy fraud or identity theft involving credit, electronic fund transfers, or an account or transaction with a financ… (§ 609(d), § 621(f), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • The rights and remedies that are available under Subtitle B of Title III of this Act are cumulative and will not affect other rights and remedies that are available under law. (§ 317(c), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • These remedies and sanctions are the only authorized judicial remedies and sanctions for violations of this chapter. (§ 3417(d), Right to Financial Privacy Act)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (II.7.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. (II.7.a.iii., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the EU-U.S. DPF. Organizations that have persistently failed to comply with the Principles will be removed from the Data Privacy Framework List by the Department and must return or delete th… (III.11.g.i., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations will implement their commitment to cooperate with DPAs as described below. Under the EU-U.S. DPF, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Principles. More specifically as set out in the Recourse,… (III.5.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. (§ II.7.a.iii., EU-U.S. Privacy Shield Framework Principles)
  • To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonab… (§ II.3.b., EU-U.S. Privacy Shield Framework Principles)
  • obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. (ii.7.a.iii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (ii.7.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Swiss-U.S. DPF. Organizations that have persistently failed to comply with the Principles will be removed from the Data Privacy Framework List by the Department and must return or delete… (iii.11.g.i., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations will implement their commitment to cooperate with the FDPIC as described below. Under the Swiss-U.S. DPF, U.S. organizations receiving personal data from Switzerland must commit to employ effective mechanisms for assuring compliance with the Principles. More specifically as set out in … (iii.5.a, SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (II.7.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. (II.7.a.iii., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the EU-U.S. DPF. Organizations that have persistently failed to comply with the Principles will be removed from the Data Privacy Framework List by the Department and must return or delete th… (III.11.g.i., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations will implement their commitment to cooperate with DPAs as described below. Under the EU-U.S. DPF, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Principles. More specifically as set out in the Recourse,… (III.5.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Remedies that the dispute resolution body provides should reverse or correct the effects of the noncompliance, make future processing comply with these principles, and force the organization to cease processing the personal data of the individual who filed the complaint. (FAQ-Dispute Resolution and Enforcement "Remedies and Sanctions", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • European employees who make complaints about data protection rights violations and are not satisfied with the internal review results, the complaint results, or the appeal procedures results should be directed to the state or national Data Protection Authority or labor authority in the jurisdiction … (FAQ-Human Resources Question 4 ¶ 1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Whenever an agency decides to not correct an individual's record according to the individual's request or fails to review the request in accordance with § 552a(d)(3); refuses to comply with an individual's request under § 552a(d)(1); fails to maintain records with accuracy, timeliness, relevance, … (§ 552a(g)(1), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • Create a procedure to impose a sanction for noncompliance with each organization security policy. (§ 4.1.6 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization should define the consequences of violating the privacy policies of the personal identity verification (PIV) system. (§ 2.4 ¶ 3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Coordinate with appropriate department or agency officials to define consequences for violating privacy policies of the PIV system. (2.11 ¶ 3 Bullet 8, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Develop appropriate sanctions for failure to comply with the corporate privacy policies and procedures (T0890, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization's workforce, extended workforce and for all business associates in cooperation with Human Resources, the information security officer, … (T0889, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop appropriate sanctions for failure to comply with the corporate privacy policies and procedures (T0890, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization's workforce, extended workforce and for all business associates in cooperation with Human Resources, the information security officer, … (T0889, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Impose penalties for violation of security and privacy policies and procedures. (Part I ¶ 7, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • The attorney general may adopt and promulgate rules and regulations, issue subpoenas, and seek injunctive relief and a monetary award for civil penalties, attorney's fees, and costs. (§ 8-2615, Nebraska Revised Statutes, Sections 8-2061 thru 8-2615, Credit Report Protection Act)