Back

Provide assistance to data subjects for filing privacy rights violation complaints.


CONTROL ID
00478
CONTROL TYPE
Behavior
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Implement procedures to file privacy rights violation complaints., CC ID: 00476

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the manner in which the Data Principal may make a complaint to the Board, (§ 5.(2) ¶ 1(a)(iii), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • the manner in which the Data Principal may make a complaint to the Board, (§ 5.(1) ¶ 1(iii), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • the complaint process referred to in paragraph (b). (Part III Section 12 ¶ 1(d)(ii), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • The commissioner's staff and the ombudsman's staff will provide appropriate assistance to any person who wishes to make a complaint and requires assistance with making the complaint. (§ 36(4), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The respondent may apply to the attorney-general for legal assistance when the information commissioner has dismissed a file number complaint and the respondent is not the principal executive of an agency or an agency. (§ 63(1), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A person who has started or proposes to start proceedings in the federal magistrates court or the federal court under section 55 may apply to the Attorney General for providing assistance in respect of the proceedings. (§ 63(2)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A person who has engaged in conduct or alleged to have engaged in conduct in respect of proceedings that have started in the federal magistrates court or the federal court under section 55 may apply to the Attorney General for assistance in respect of the proceedings. (§ 63(2)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • (§ 36(4), Australia Privacy Act 1988)
  • The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjec… (Art. 80.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The Commissioner may, via a written information notice, require persons to furnish him/her, in writing, within a specified time period, information specified in the information notice as necessary for the Commissioner to perform his/her functions. No law or enactment that prohibits disclosure will p… (§ 12(1), § 12(4), Ireland Consolidated Data Protection Acts of 1988 and 2003)
  • The Guarantee may request the data processor, the data controller, the data subject, or a third party to produce documents and provide information to discharge its tasks. (§ 157, Italy Personal Data Protection Code)
  • When a notification does not contain the items stated in section 9 or is unintelligible, or when data is not in the notification and is necessary for its disposal, a request will be made of the informant to remove these defects within a time limit of not less than 7 days. The information will be war… (§ 45(10), § 45(11), Slovak Republic Protection of Personal Data in Information Systems)
  • Individuals who are prospective or actual parties to a proceeding under section 7(9), 10(4), 12(8), or 14 or by virtue of section 13 that relates to the processing of personal data for special purposes may apply for assistance with those proceedings with the Commissioner. As soon as possible after r… (§ 53, UK Data Protection Act of 1998)
  • Procedures should be established by Member countries to allow mutual assistance in procedural and investigative matters. (¶ 21, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data)
  • As is the case with respect to criminal law enforcement authorities, Privacy and Civil Liberties Officers exist at all intelligence agencies. The powers of these officers typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering priva… (3.2.2 (164), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Firstly, Privacy and Civil Liberties Officers exist within various departments with criminal law enforcement responsibilities. While the specific powers of these officers may vary somewhat depending on the authorising statute, they typically encompass the supervision of procedures to ensure that the… (3.1.2 (108), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist. For example, some regulatory bodies accept complaints about the personal- information handling practices of the companies they regul… (Schedule 1 4.10.3, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
  • Individuals who lodge complaints or make inquiries must be informed of the existence of relevant complaint procedures. (Sched 1 Clause 4.10.3, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • Applicants will be supported by the entities' designated area that is responsible for receiving applications. (Art 33 ¶ 3, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • File with the Department a complaint under §§99.63 and 99.64 concerning alleged failures by the educational agency or institution to comply with the requirements of the Act and this part. (§ 99.7(a)(2)(iv), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • When a consumer contacts a consumer reporting agency and says he/she thinks he/she is a victim of fraud or identity theft, the consumer reporting agency must provide the consumer with a summary of his/her rights and instructions on how to contact the Federal Trade Commission for more detailed inform… (§ 151, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • When a consumer contacts a consumer reporting agency and says he/she thinks he/she is a victim of fraud or identity theft, the consumer reporting agency must provide the consumer with a summary of his/her rights and instructions on how to contact the Federal Trade Commission for more detailed inform… (§ 609(d), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • a description of how a Principles-related complaint can be filed; (III.11.d.ii.(4), EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complie… (III.7.d., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • the possibility, under certain conditions, for the individual to invoke binding arbitration, (§ II.1.a.xi., EU-U.S. Privacy Shield Framework Principles)
  • the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution p… (§ II.1.a.ix., EU-U.S. Privacy Shield Framework Principles)
  • Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms throu… (§ III.7.d., EU-U.S. Privacy Shield Framework Principles)
  • Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from Switzerland is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being co… (iii.7.d., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • a description of how a Principles-related complaint can be filed; (iii.11.d.ii.(4), SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • a description of how a Principles-related complaint can be filed; (III.11.d.ii.(4), UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen outside compliance review, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complie… (III.7.d., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The informal panel of Data Protection Authorities will provide advice to referrals from direct complaints from individuals and/or the concerned organization, while encouraging and assisting individuals to use the in-house complaint handling arrangements of the organization. (FAQ-The Role of the Data Protection Authorities ¶ 3 Bullet 3, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Consumers should be encouraged to raise complaints before starting independent recourse mechanisms. (FAQ-Dispute Resolution and Enforcement Recourse Mechanisms, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statement; (§ 164.526(d)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person… (§ 164.526(d)(1)(iv), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • All information necessary for successfully filing complaints; (PM-26b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • All information necessary for successfully filing complaints; (PM-26b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • All information necessary for successfully filing complaints; (PM-26b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • All information necessary for successfully filing complaints; (PM-26b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • All information necessary for successfully filing complaints; (PM-26b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Require the controller to approve or deny the appeal within 45 days after the date on which the controller received the appeal and to notify the consumer in writing of the controller's decision and the reasons for the decision. If the controller denies the appeal, the notice must provide or specify … (Section 4 (6)(d), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • File with the Department a complaint under §§ 99.63 and 99.64 concerning alleged failures by the educational agency or institution to comply with the requirements of the Act and this part. (§ 99.7(a)(2)(iv), 34 CFR Part 99, Family Educational Rights and Privacy)