Back

Implement procedures to file privacy rights violation complaints.


CONTROL ID
00476
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

This Control has the following implementation support Control(s):
  • File privacy rights violation complaints in writing., CC ID: 00477
  • Provide assistance to data subjects for filing privacy rights violation complaints., CC ID: 00478
  • Refrain from charging a fee to file a privacy rights violation complaint., CC ID: 16807
  • File privacy rights violation complaints inside the mandate stipulated from the refusal., CC ID: 00479


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A consumer may file a complaint with the authority for any non-compliance by the supplier. (§ 40, The Electronic Communications and Transactions Act, 2002)
  • Business operators that handle personal information must try to promptly and appropriately process complaints about handling personal information and develop a system to achieve this requirement. (Art 31, Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • Any organization or individual has the right to complain and report to a department with personal information protection duties about illegal personal information processing. The department that receives such a complaint or report shall handle it in a timely manner in accordance with the law, and no… (Article 65 ¶ 1, Personal Information Protection Law of the People's Republic of China)
  • Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a con… (Article 59(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • An individual may complain to the information commissioner about acts or practices that may be an interference to an individual's privacy. (§ 36(1), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Any of the individuals who are involved in an act or practice that interferes with the privacy of 2 or more individuals may make a complaint on behalf of all the individuals. (§ 36(2), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The complaint shall state who the respondent to the complaint is. (§ 36(5), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A representative complaint may be filed under section 36 or accepted under section 40(1b) only if the class members have complaints against the same person, all of the complaints arise out of or are in respect of the same or similar circumstances, and all of the complaints are about a substantial co… (§ 38(1), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A representative complaint may be filed absent the consent of class members. (§ 38(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A class member of a representative complaint is not entitled to file a complaint for the same subject matter. (§ 39, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An individual is entitled to complain to the Privacy Commissioner about a potential violation or privacy rights. The complaint should be in writing. (§ 36(1), Australia Privacy Act 1988)
  • If damage other than property damage has resulted from personal data processing, the data subject must follow the procedures in a special Act to lodge a claim. (Art 21(5), Czech Republic Personal Data Protection Act, April 4, 2000)
  • If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory aut… (Art. 12.4., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • the right to lodge a complaint with a supervisory authority; (Art. 15.1.(f), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject cons… (Art. 77.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjec… (Art. 80.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • When a person is exercising his/her right of access and suspects the disclosed data does not comply with the processed data, he/she may inform the Commission Nationale. (Art 28(5), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • The data subject, technical data processor, or data controller may request a judicial review by a court within 30 days of receipt of a decision made by the Data Protection Commissioner on the grounds of infringement. The data may not be deleted, destroyed, or processed, and the data must be blocked,… (Art 25(5), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • All claims must refer to as many details as possible to the facts and circumstances that the claim is grounded, the allegedly infringed provisions, remedies sought, and the identification data about the data controller, data processor, and claimant. Claims must be signed by the data subjects or the … (§ 142, § 145, § 147, § 148, Italy Personal Data Protection Code)
  • Complaints about personal data must be submitted to the Court Registrar by registered letter or deposited at the Registrar's Office. The claim must contain the following information: the day, month, and year; the name, place of residence, and profession of the complainant; the name and place of resi… (Art 14.3, Art 14.4, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • Data subjects may file complaints with the appropriate supervisory authority about the processing of data that relates to them. (§ 40, Denmark, The Act on Processing of Personal Data)
  • Data subjects may notify the Data Protection Agency or the competent body in the Autonomous Community when they are denied, either wholly or partially, their rights of objection, access, rectification, or cancellation. The Data Protection Authority must decide on the admissibility or inadmissibility… (Art 18.1, Art 18.2, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • Everyone has the right to file a complaint with the Data Protection Commission because of an alleged infringement of his/her rights or obligations of this Federal Act by a data controller or processor. Lodging an application (section 30), a complaint (section 31), or legal action (section 32), and d… (§ 30(1), § 34(1), Austria Data Protection Act)
  • If the data controller fails to correct, amend, erase, or update personal data, the data subject may notify the Inspector General, who will issue an order to the data controller. (Art 35.2, Poland Protection of Personal Data Act)
  • The data subject may notify the Office, if he/she suspects personal data is being processed without proper authorization. A data subject or a natural person may file a notification with the Office, if he/she believes his/her rights were directly infringed upon. The notification must contain: the nam… (§ 20(6), § 45(2), § 45(9), Slovak Republic Protection of Personal Data in Information Systems)
  • the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner; (§ 45(2)(f), UK Data Protection Act 2018 Chapter 12)
  • where subsection (1)(a) or (b) applies, request the Commissioner to check that the restriction imposed by the controller was lawful; (§ 51(2)(a), UK Data Protection Act 2018 Chapter 12)
  • where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject's request was lawful. (§ 51(2)(b), UK Data Protection Act 2018 Chapter 12)
  • the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner; (§ 45(2)(f), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • where subsection (1)(a) or (b) applies, request the Commissioner to check that the restriction imposed by the controller was lawful; (§ 51(2)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject's request was lawful. (§ 51(2)(b), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The entity implements a process for receiving, addressing, resolving and communicating the resolution of inquiries, complaints and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. Corrections and other necessary actions r… (M9.1, Privacy Management Framework, Updated March 1, 2020)
  • A process is in place to address inquiries, complaints and disputes. (M9.1 Addresses inquiries, complaints and disputes, Privacy Management Framework, Updated March 1, 2020)
  • Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to object to the processing and the right to have data rectified and erased. (2.2.5 (29), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Consequently, the EU-U.S. DPF provides data subjects with a number of possibilities to enforce their rights, lodge complaints regarding non-compliance by EU-U.S. organisations and to have their complaints resolved, if necessary by a decision providing an effective remedy. Individuals can bring a com… (2.4 (68), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The EU-U.S. DPF, through the Recourse, Enforcement and Liability Principle, requires organisations to provide recourse for individuals who are affected by non-compliance and thus the possibility for Union data subjects to lodge complaints regarding non-compliance by EU-U.S. DPF organisations and to … (2.4 (66), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • First, a specific redress mechanism is established, under EO 14086, complemented by the AG Regulation establishing the Data Protection Review Court, to handle and resolve complaints from individuals concerning U.S. signals intelligence activities. Any individual in the EU is entitled to submit a com… (3.2.3 (176), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • A Union data subject who wishes to lodge such a complaint must submit it to a supervisory authority in an EU Member State competent for the oversight of the processing of personal data by public authorities (a DPA). This ensures easy access to the redress mechanism by allowing individuals to turn to… (3.2.3 (177), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In particular, FISA and a related statute provides the possibility for individuals to bring a civil action for money damages against the United States when information about them has been unlawfully and wilfully used or disclosed; to sue U.S. government officials acting in their personal capacity fo… (3.2.3 (196), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Individuals may first of all lodge requests or complaints with criminal law enforcement authorities concerning the handling of their personal data. This includes the possibility to request access to and correction of personal data. As regards activities relating to counter-terrorism, individuals may… (3.1.3 (113), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • A process is in place to address inquiries, complaints, and disputes. (P8.1 ¶ 2 Bullet 2 Addresses Inquiries, Complaints, and Disputes, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. Corrections and other necessary actions… (P8.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity communicates to user entities, third parties, data subjects, and others the process used to report a suspected privacy incident. (CC2.3 ¶ 5 Bullet 2 Communicates Incident Reporting Methods, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity has communicated to employees and others within the entity the process used to report a suspected privacy incident. (CC2.2 ¶ 5 Bullet 2 Communicates Incident Reporting Methods, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The Privacy Commissioner must receive and investigate complaints, as follows: from individuals who allege their personal information that is held by a government institution has been used or disclosed in a way not in accordance with Sections 7 or 8; from individuals refused access to their informati… (§ 29(1), § 29(2), Canada Privacy Act, P-21)
  • establishing procedures to receive and respond to complaints and inquiries; (Schedule 1 4.1.4(b), Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use. (Schedule 1 4.10.2, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • An individual has the right to file a written complaint with the Privacy Commissioner against an organization that violates any Division 1 provision or that does not follow a Schedule 1 recommendation. The Privacy Commissioner must notify the organization against which a complaint was filed. The org… (§ 11(1), § 11(4), Sched 1 Clause 4.10.2, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • A person who was denied rights under this Act must file a complaint with the State Commission for Access to Public Information. The Commission must verify the complaint's validity and issue a resolution within a maximum period of 90 calendar days from the day the complaint was filed. (Art 8, Colima Personal Data Protection Law (Decree No. 356))
  • A complaint may be filed for failing to deliver personal data reports within the required time period, failing to notify the requestor within the set time limit of the correction or deletion of requested personal data, and refusing to correct or cancel personal data. The data owner, or his/her repre… (Art 25, Art 26, Guanajuato Personal Data Protection Law)
  • Applicants may appeal for a review before the Institute about final decisions falling under his/her request for access, rectification, cancellation, or opposition, or the omission of a response. The public information office will advise the applicant about his/her right to bring a judicial review an… (Art 38, The Personal Data Protection Law for the Federal District (Mexico City))
  • The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints, and disputes. (Generally Accepted Privacy Principles and Criteria § 10.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should have an implemented process to address inquiries, complaints, and disputes. (Generally Accepted Privacy Principles and Criteria § 10.2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should have a formal documented process for documenting and responding to complaints in a timely way. (Table Ref 10.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include how complaints, questions, and disputes about personal information … (¶ 1.35.e.viii, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • A process is in place to address inquiries, complaints, and disputes. (P8.1 Addresses Inquiries, Complaints, and Disputes, Trust Services Criteria)
  • The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. Corrections and other necessary actions… (P8.1, Trust Services Criteria)
  • A process is in place to address inquiries, complaints, and disputes. (P8.1 ¶ 2 Bullet 2 Addresses Inquiries, Complaints, and Disputes, Trust Services Criteria, (includes March 2020 updates))
  • The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. Corrections and other necessary actions… (P8.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance with the entity’s privacy commitments and system requirements; corrections and other nece… (P8.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Are there enforcement mechanisms in place to address complaints, disputes, and recourse for privacy compliance violations? (§ P.10.1, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • § 422.562(b): Enrollees have the following rights: to have grievances heard and resolved; to have a timely organization determination; and to request an expedited organization determination. Enrollees have the following appeal rights: to a reconsideration of adverse organization determination; to r… (§ 422.562(b), § 422.564(d)(2), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • Civil action may not be brought, unless it is started not later than 2 years of the date the act occurred or the date of discovery. (§ 2710(c)(3), 18 USC § 2710, Wrongful disclosure of video tape rental or sale records)
  • The Federal Trade Commission is tasked with compiling all complaints it receives about incomplete or inaccurate information in a consumer file that the consumer has already disputed with the consumer reporting agency and sending that information to each consumer reporting agency that is involved. (§ 313(a), Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • The Federal Trade Commission is tasked with compiling all complaints it receives about incomplete or inaccurate information in a consumer file that the consumer has already disputed with the consumer reporting agency and sending that information to each consumer reporting agency that is involved. (§ 611(e), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • A customer can file a motion to quash an administrative summons or judicial subpoena or an application to enjoin a Government authority from obtaining financial records pursuant to a written request, if it is within 10 days of being served or 14 days of the financial institution mailing a summons, s… (§ 3410(a), § 3410(e), Right to Financial Privacy Act)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (II.7.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Individuals should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to an individual within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual qu… (III.11.d.i., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations will implement their commitment to cooperate with DPAs as described below. Under the EU-U.S. DPF, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Principles. More specifically as set out in the Recourse,… (III.5.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (III.11.a.(ii), EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (§ II.7.a., EU-U.S. Privacy Shield Framework Principles)
  • readily available independent recourse mechanisms by which each individual's complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; (§ II.7.a.i., EU-U.S. Privacy Shield Framework Principles)
  • Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual questio… (§ III.11.d.i., EU-U.S. Privacy Shield Framework Principles)
  • compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii.11.a.(ii), SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (ii.7.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Individuals should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to an individual within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual qu… (iii.11.d.i., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations will implement their commitment to cooperate with the FDPIC as described below. Under the Swiss-U.S. DPF, U.S. organizations receiving personal data from Switzerland must commit to employ effective mechanisms for assuring compliance with the Principles. More specifically as set out in … (iii.5.a, SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must incl… (II.7.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Individuals should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to an individual within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual qu… (III.11.d.i., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations will implement their commitment to cooperate with DPAs as described below. Under the EU-U.S. DPF, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Principles. More specifically as set out in the Recourse,… (III.5.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (III.11.a.(ii), UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization must make the recourse for individuals readily available and affordable. (FAQ-Dispute Resolution and Enforcement "Recourse Mechanisms", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The recourse mechanisms should include information on how the dispute resolution procedures work once a complaint is filed. (FAQ-Dispute Resolution and Enforcement "Recourse Mechanisms", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register. (§ 160.306(b)(4), 45 CFR Part 160 - General Administrative Requirements)
  • A person may file a complaint with the Secretary of Health and Human Services, if he/she believes the covered entity is not complying with the administrative simplification provisions. (§ 160.306(a), 45 CFR Part 160 - General Administrative Requirements)
  • A process for making complaints must be provided. All received complaints must be documented, along with their disposition. (§ 164.530(d), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Standard: Complaints to the covered entity. A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by this subpart and subpart D of this part or its compliance with such policies and procedures or the requirements o… (§ 164.530(d)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Taxpayers may bring civil action for damages for any disclosures, committed knowingly or negligently, of taxpayer return information. (Exhibit 5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Individuals who have been treated wrongly in violation of this section may notify the office of consumer affairs and business regulation or the office of the Attorney General. (§ 105(d), The Commonwealth of Massachusetts, Title XV, Ch 93, Section 105, Credit cards; checks; personal identification information)
  • Any individual injured by a violation of this section may institute a civil action to recover damages. (§42.56.590(12)(a), Revised Code of Washington Title 42, Chapter 42.56, Section 42.56.590 Personal information—Notice of security breaches.)
  • A complaint must contain specific allegations of fact giving reasonable cause to believe that a violation of the Act or this part has occurred. A complaint does not have to allege that a violation is based on a policy or practice of the educational agency or institution, other recipient of Departmen… (§ 99.64(a), 34 CFR Part 99, Family Educational Rights and Privacy)
  • The action for protecting personal data, or of habeas data, applies to the acquisition of knowledge of personal data stored in private or public data files, banks, or registers intended for providing reports and to cases where the inaccuracy, outdating, or falsehood of the information is presumed an… (§ 33, § 34, § 35, § 36, Argentina Personal Data Protection Act)
  • The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority. (Art. 18.IX § 1, Brazilian Law No. 13709, of August 14, 2018)