This Control directly supports the implied Control(s):
Develop remedies and sanctions for privacy policy violations., CC ID: 00474
This Control has the following implementation support Control(s):
Cooperate with authorities during a privacy rights violation complaint investigation., CC ID: 14364
Notify respondents after a privacy rights violation complaint investigation begins., CC ID: 00491
Investigate privacy rights violation complaints in private., CC ID: 00492
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints., CC ID: 00493
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached., CC ID: 00494
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions., CC ID: 00481
Determine not to investigate privacy rights violation complaints under certain conditions., CC ID: 00482
Defer privacy rights violation complaint investigations under certain conditions., CC ID: 00487
Notify respondents after a privacy rights violation complaint investigation has been resolved., CC ID: 13513
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
When a Commissioner receives a complaint or has reasonable grounds to believe that an act or practice has been conducted that is in violation of the Ordinance, then the Commissioner shall carry out an investigation in relation to the relevant data user (controller) to ascertain whether the act or pr… (§ 38, § 39, Hong Kong Personal Data (Privacy) Ordinance)
The competent authorities may initiate investigations or legal actions on their own initiative with respect to criminal offenses stated in Article 23 paragraphs 1, 2, 3, and 4 for which criminal procedures and penalties are provided. (Art 26, Anti-Counterfeiting Trade Agreement)
When a request is received by an authorized personal information protection organization to resolve a complaint about the handling of personal information by a target business operator, the organization must give the requestor advice and investigate the complaint, and it must make a request to the t… (Art 42(1), Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
The information commissioner must be satisfied that the privacy code requires an organization that is bound by the code to cooperate with the adjudicator, before approving a privacy code that includes procedures for making and dealing with complaints. (§ 18BB(3)(g), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner shall investigate practices or acts that interfere with the privacy of an individual. (§ 40(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner shall investigate acts or practices that are filed under section 36. (§ 40(1)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The information commissioner must investigate complaints about acts or practices of organizations that are bound by an approved privacy code which contains procedures for making and dealing with complaints about acts or practices that may be an interference of an individual's privacy, if the practic… (§ 40(1B), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
The Commissioner shall investigate an act or practice if the act or practice may be an interference with the privacy of an individual and a complaint has been made. The Commissioner must not investigate a complaint if the complainant did not complain to the respondent before making the complaint to … (§ 40 thru § 43, Australia Privacy Act 1988)
The investigation of interference with an individual's privacy rights is dealt with. The function of the Commissioner is to investigate any action that is or appears to be an interference with the privacy of an individual. The Commissioner shall act as conciliator in relation to any such action and … (§ 69, New Zealand Privacy Act 1993)
Persons appointed by the supervisory authority for monitoring must be authorized to enter property and premises of the body during business hours and to perform checks and inspections onsite. They have the right inspect business documents listed in Section 4g(2), stored personal data, and data proce… (§ 38(4), German Federal Data Protection Act, September 14, 1994)
The Commission Nationale has investigative powers in cases of the data subject's right of access being limited. (Art 29(5), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
§ 10(1)(a), § 10(1)(b), § 10(1A) The Commissioner may investigate, or cause to be investigated, if any provisions of this Act have been violated in relation to an individual when the individual complains to him or the Commissioner believes there may have been a violation. The Commissioner, when a… (§ 10(1)(a), § 10(1)(b), § 10(1A), § 24(2), Ireland Consolidated Data Protection Acts of 1988 and 2003)
§ 158, § 159 The Guarantee may order filing systems and data banks to be accessed and audits on the spot to be performed on the premises that the processing takes place or investigations to check for compliance with personal data protection regulations. These inquiries will be carried out by staff… (§ 158, § 159, § 160, Italy Personal Data Protection Code)
The Guarantee is provided the right to "check an investigation." Therefore, when an investigation is underway, the Guarantee can order the controller, the processor, the data subject or a third party to provide information and documents as may be necessary. The Guarantee, with cooperation from other… (Art 32, Italy Protection of Individuals Other Subject with regard to the Processing of Personal Data)
The Commission for the protection of privacy must investigate all signed and dated complaints it receives. (Art 31.1, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
Supervisory authorities may inspect files stated in this Law and obtain information that is required to perform their duties. This may require disclosing or transmitting documents and data, examining data at its storage site, inspecting the hardware and software used for processing, and obtaining ac… (Art 40, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
The Data Protection Commission may initiate an investigation, either at the request of a party or acting in an official capacity, to determine if the processing of data is operating in accordance with this Act. (Art 60.1, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation)
§ 30(2) The Data Protection Commission has the right to examine data applications when a reasonable suspicion of an infringement of the rights or obligations exists. It can order the processor or data controller to give all necessary clarifications and grant access to all relevant documents and app… (§ 30(2), § 30(4), Austria Data Protection Act)
§ 45(12) The investigation and disposal of the informant's written notification must be accomplished within 60 days from its receipt. The chief inspector may extend the time limit for not more than 6 months for justified cases. The informant must be notified by the Office if the time limit is being… (§ 45(12), § 45(8), Slovak Republic Protection of Personal Data in Information Systems)
Investigations will be initiated by the Commissioner on his/her own initiative or by request from third parties when the processing methods may infringe upon the privacy of large numbers of persons (system error); files must be registered (Article 11); and the disclosure of data transferred out of S… (Art 27.2, Art 29.1, Switzerland Federal Act of 19 June 1992 on Data Protection (FADP))
§ 45 When it appears to the Commissioner that personal data is not being processed only for special purposes or for the publication of journalistic, literary, or artistic material that has not been previously published by the data controller, the Commissioner may make a determination in writing. Th… (§ 45, Sched 9, UK Data Protection Act of 1998)
Each complaint is addressed and the resolution is documented and communicated to the individual. (M9.1 Documents and communicates dispute resolution and recourse, Privacy Management Framework, Updated March 1, 2020)
Each complaint is addressed and the resolution is documented and communicated to the individual. (P8.1 ¶ 2 Bullet 3 Documents and Communicates Dispute Resolution and Recourse, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
§ 29, § 31, § 36(1), § 36(2), § 37(1), § 37(2) The Privacy Commissioner must receive and investigate complaints, as follows: from individuals who allege their personal information that is held by a government institution has been used or disclosed in a way not in accordance with Sections 7 or … (§ 29, § 31, § 36(1), § 36(2), § 37(1), § 37(2), § 34(4), § 34(5), Canada Privacy Act, P-21)
An organization shall investigate all complaints. If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices. (Schedule 1 4.10.4, Canada Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Last amended on June 23, 2015)
§ 12(1), § 12(2), Sched 1 Clause 4.10.4 The Privacy Commissioner must conduct investigations of complaints and may, for that purpose, summon and enforce the appearance of persons before the Privacy Commissioner for that purpose and compel them to give written or oral evidence under oath and to pro… (§ 12(1), § 12(2), Sched 1 Clause 4.10.4, § 12(4), § 18(3), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
A person who was denied rights under this Act must file a complaint with the State Commission for Access to Public Information. The Commission must verify the complaint's validity and issue a resolution within a maximum period of 90 calendar days from the day the complaint was filed. When a personal… (Art 8, Art 9.X, Colima Personal Data Protection Law (Decree No. 356))
After receiving a complaint, within 7 business days the access unit must make a decision as to whether or not the complaint is justified. If the access unit denies access the appellant, the appellant must be notified within 3 business days. (Art 29, Guanajuato Personal Data Protection Law)
The Commission does not require any formalities for admission and the remedial review process, will determine any deficiencies in the complaint, and will take action on its own initiative to ensure access to public information and the protection of personal data. A decision must be made by the Commi… (Art 88, Tlaxcala Law on Access to Public Information and Personal Data Protection)
The organization should address each complaint. (Generally Accepted Privacy Principles and Criteria § 10.2.2, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Each complaint is addressed, and the resolution is documented and communicated to the individual. (P8.1 Documents and Communicates Dispute Resolution and Recourse, Trust Services Criteria)
Each complaint is addressed and the resolution is documented and communicated to the individual. (P8.1 ¶ 2 Bullet 3 Documents and Communicates Dispute Resolution and Recourse, Trust Services Criteria, (includes March 2020 updates))
The consumer reporting agency, after receiving complaints from the Federal Trade Commission (FTC), must review each complaint and determine if all legal obligations have been met, regularly report to the FTC the status of the reviews, and maintain records about the disposition of each complaint. (§ 313(a), Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
The consumer reporting agency, after receiving complaints from the Federal Trade Commission (FTC), must review each complaint and determine if all legal obligations have been met, regularly report to the FTC the status of the reviews, and maintain records about the disposition of each complaint. (§ 611(e), Fair Credit Reporting Act (FCRA), July 30, 2004)
§ 102(c), § 318(b) The investigation of offenses under Section 102 must be conducted by the United States Secret Service. This authority must not be exclusive of existing authority that is held by another Federal agency. After receiving a notice under Section 318(a)(2), the Attorney General will h… (§ 102(c), § 318(b), § 202(c)(5), § 303(c)(5), § 318(d), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
Individuals should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to an individual within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual qu… (III.11.d.i., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the EU-U.S. DPF. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member St… (II.7.b., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member… (§ II.7.b., EU-U.S. Privacy Shield Framework Principles)
The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both … (§ III.11.a., EU-U.S. Privacy Shield Framework Principles)
In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizat… (§ III.11.c., EU-U.S. Privacy Shield Framework Principles)
Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual questio… (§ III.11.d.i., EU-U.S. Privacy Shield Framework Principles)
Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Swiss-U.S. DPF. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by the FDPIC… (ii.7.b, SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Individuals should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to an individual within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual qu… (iii.11.d.i., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Individuals should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to an individual within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual qu… (III.11.d.i., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the EU-U.S. DPF. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member St… (II.7.b., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
The privacy protection must include independent recourse mechanisms that are affordable and readily available, so an individual's disputes and complaints are investigated and resolved. (ENFORCEMENT(a), US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
The organization should use a dispute resolution body to investigate each complaint from an individual, unless the complaint is obviously frivolous or unfounded. (FAQ-Dispute Resolution and Enforcement "Recourse Mechanisms", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
The Federal Trade Commission will review, on a priority basis, referrals from self-regulatory organizations and European Union member states that allege noncompliance with the safe harbor principles to determine in section 5 of the Federal Trade Commission Act has been violated. (FAQ-Dispute Resolution and Enforcement "FTC Action", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
The Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect. (§ 160.306(c)(1), 45 CFR Part 160 - General Administrative Requirements)
The Secretary may investigate any other complaint filed under this section. (§ 160.306(c)(2), 45 CFR Part 160 - General Administrative Requirements)
Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; (PM-26c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. (PM-26e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; (PM-26c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. (PM-26e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; (PM-26c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. (PM-26e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Establish and administer a process for receiving, documenting, tracking, investigating and taking corrective action as appropriate on complaints concerning the company's privacy policies and procedures. (T0922, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Administer action on all complaints concerning the organization's privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel (T0913, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Administer action on all complaints concerning the organization's privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel (T0913, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; (PM-26c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. (PM-26e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment: organization-defined time period]; (PM-26c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time period]. (PM-26e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The Financial Integrity Enforcement Division is responsible for investigating the use of financial information and personal identification for fraud, theft, or fraud and theft, and other fraudulent or illegal activity that may involve electronic commerce. (§ 15.113(1)(d), Kentucky Revised Statutes, Title III, Chapter 15, Section 113, Prevention of Identity Theft)
investigate, report, or prosecute a person responsible for an action described in Subsection (1)(h)(i); (13-61-304 (1)(h)(ii), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
Habeas data actions must proceed in accordance with the requirements of this Act and the procedures that correspond to ordinary action for protecting constitutional rights and subsidiarily in accordance with the requirements of the National Code of Civil and Commercial Procedure as it pertains to sp… (§ 37, Argentina Personal Data Protection Act)
