Back

Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions.


CONTROL ID
00481
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Investigate privacy rights violation complaints., CC ID: 00480

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. (Article 60(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A person who is aggrieved by an adjudicator's determination under an approved privacy code after a complaint investigation may apply to the information commissioner to review the determination. (§ 18BI(1), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may amend a complaint so that it can be dealt with as a representative complaint, if he or she is satisfied it can be a representative complaint if the class members are reduced, increased, or altered. (§ 38C, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The adjudicator must stop investigating a complaint that is made under an approved privacy code absent making a determination about the complaint where the organization is a contracted service provider for a commonwealth contract and refer the complaint to the commissioner. (§ 40A(2), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • (§ 40A, Australia Privacy Act 1988)
  • If the Federal Commissioner for Data Protection discovers any infringements in the use or processing of personal data, he/she must lodge a complaint with the competent supreme federal authority for cases of the federal administration; with the President for cases of the Federal Railway Property; wit… (§ 25(1), German Federal Data Protection Act, September 14, 1994)
  • The Office of the Guarantee will communicate any complaints to the data controller within 3 days, unless the complaint has been declared inadmissible or manifestly groundless, and inform the data controller that he/she may notify the Office and the complainant within 10 days that he/she will volunta… (§ 149, Italy Personal Data Protection Code)
  • if requested to do so by the Commissioner, make the record available to the Commissioner. (§ 45(7)(b), UK Data Protection Act 2018 Chapter 12)
  • if requested to do so by the Commissioner, make the record available to the Commissioner. (§ 45(7)(b), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • A request by or on behalf of any person who is, or believes himself/herself to be, directly affected by personal data processing may be made to the Commissioner to assess whether or not it is likely that the processing is in compliance with this Act. The Commissioner, after receiving this request, w… (§ 42, UK Data Protection Act of 1998)
  • The Privacy Commissioner may initiate a complaint when he/she is satisfied reasonable grounds exist to investigate the matter. (§ 11(2), Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • If the organization has tried to resolve a complaint and the individual is still not satisfied, an independent panel should be used to hear the case and recommend a resolution and/or corrective actions to be taken. (§ Q4, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • The data subject may appeal to the Commission, by a judicial review, to challenge any decisions or acts that retard, withhold, or prevent access to personal data or public information protection. He/she may also appeal receiving the incorrect, incomplete, or different data than what was requested. (Art 83, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • Before an action is filed under Section 318(a)(1), the State attorney general must provide a written notice of the action and a copy of the complaint for the action to the Attorney General of the United States. This notification does not apply if the State attorney general determines that it is not … (§ 318(a)(2), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection right… (III.9.d.i., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection right… (§ III.9.d.i., EU-U.S. Privacy Shield Framework Principles)
  • In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in Switzerland. It follows that, where Swiss employees make complaints about violations of their data protection rig… (iii.9.d.i., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection right… (III.9.d.i., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • European employees who make complaints about data protection rights violations and are not satisfied with the internal review results, the complaint results, or the appeal procedures results should be directed to the state or national Data Protection Authority or labor authority in the jurisdiction … (FAQ-Human Resources Question 4 ¶ 1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 4 (d), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 4 (d), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 12D-104.(d), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 12D-104.(d), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish a process for a consumer to appeal, within a reasonable period of time after the consumer's receipt of a decision by the controller under subsection (c)(2), the controller's refusal to take action on a request by the consumer under this section. The appeal process shall … (IC 24-15-3-1(d), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to this section. The appeal process shall be conspicuously available and similar to the proces… (§ 715D.3.3., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to this section. The appeal process shall be conspicuously available and similar to the proces… (§ 715D.3.3., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to act on a request within a reasonable period after the consumer's receipt of the decision. The appeal process must be conspicuously available and like the process for submitting requests to initiate action pur… (§ Section 5. (5), Montana Consumer Data Privacy Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 507-H:4 IV., New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Require the controller to approve or deny the appeal within 45 days after the date on which the controller received the appeal and to notify the consumer in writing of the controller's decision and the reasons for the decision. If the controller denies the appeal, the notice must provide or specify … (Section 4 (6)(d), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). The appeal process must be made available to the consumer in a conspicu… (§ 47-18-3203.(c), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). The appeal process must be made available to the consumer in a conspicu… (§ 47-18-3203.(c), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • If the controller denies an appeal, the controller shall provide the consumer with the online mechanism described by Section 541.152 through which the consumer may contact the attorney general to submit a complaint. (§ 541.053 (d), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision B 2. The appeal process shall be conspicuously available and similar to the pro… (§ 59.1-577.C., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision B 2. The appeal process shall be conspicuously available and similar to the pro… (§ 59.1-577.C., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)