Back

Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints.


CONTROL ID
00493
CONTROL TYPE
Behavior
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Investigate privacy rights violation complaints., CC ID: 00480

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The authorized personal information protection organization may request the target business operator to address privacy violation complaints orally or in writing or to submit relevant materials in order to settle any complaints. (Art 42(2), Japan Act on the Protection of Personal Information Protection (Law No. 57 of 2003))
  • The information commissioner may make inquiries of the respondent to determine if the commissioner has the power to investigate the complaint. (§ 42(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may make inquiries of the respondent to determine whether the commissioner may decide not to investigate the complaint. (§ 42(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may gather information and make inquiries from persons as he or she sees fit for conducting an investigation. (§ 43(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may give a person who he or she believes has information or documentation that is relevant to the investigation a written notice requiring the person to give the information to the commissioner in writing signed by the person. (§ 44(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may give a person who he or she believes has information or documentation relevant to the investigation written notice to provide the document to the commissioner. (§ 44(1)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The written notice given by the commissioner to request information or documentation for an investigation shall state the place the information or documentation is to be given or produced to the commissioner. (§ 44(2)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The written notice given by the commissioner to a person with information or documentation relevant to an investigation shall state the time or period that the information or documentation is to be given or produced. (§ 44(2)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may take possession of, make copies of, or take extracts from the documentation given to the commissioner in accordance with section 44(1). (§ 44(2A)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may is a written notice to a person who believed to give information relevant to the investigation that requires him or her to answer appear the commissioner at a time have and named to place questions about the investigation. (§ 44(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The information commissioner may direct, with a written notice, the complainant, the respondent, and any other person who is likely to provide relevant information about the investigation to attend a conference, at a time and place named in the notice, presided over by the commissioner. (§ 46(1), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A conference shall be held in private and conducted in a way the commissioner sees fit. (§ 47(2), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An unincorporated body or corporate body that is directed to attend a conference is deemed to have attended if a member, employee, or officer of the body attends on behalf of the body. (§ 47(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An individual is not entitled to be represented at a conference by another person, except with the commissioner's consent. (§ 47(4)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A corporate body or unincorporated body is not entitled to be represented at a conference by a person other than an employee, member, or officer of that body, except with the commissioner's consent. (§ 47(4)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A person shall not refuse or fail to be sworn or make an affirmation when required by this act. (§ 65(1)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A person shall not refuse or fail to give information as required by this act. (§ 66(1)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A person shall not refuse or fail to produce a document or record or to answer a question when required by this act. (§ 66(1)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • A journalist has a reasonable excuse for not giving information, answering questions, or producing records or documents, if it would tend to reveal the person's identity who gave the document, information, or record to the journalist in confidence. (§ 66(1A), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An individual has a reasonable excuse to refuse or fail to give information or produce a record or document if it might tend to incriminate him or her or make him or her liable to a penalty or forfeiture, subject to sections 66(4), 66(7), and 66(10). (§ 66(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • (§ 43(3), Australia Privacy Act 1988)
  • Commission members and officers may ask for copies of necessary documents to perform their mission, whatever the medium. They have the right to collect, on the spot or on summons, all information that is useful, to access electronic data processing programs and data, and ask for their transcription,… (Art 44.III, France Data Processing, Data Files and Individual Liberties)
  • The staff who performs inquiries must be identified with an ID document and may be assisted by consultants bound by secrecy rules. To carry out measurements and technical operations, the staff may make copies of data, documents, and papers by samples, on computer media, or via electronic networks. T… (§ 159.1, § 159.2, Italy Personal Data Protection Code)
  • The Data Protection Agency members and staff must have access to all facilities, without court order or proof of identity, where processing operations are conducted or the data subject has access to processing, and facilities where technical or data equipment are used or stored. (§ 62(2), Denmark, The Act on Processing of Personal Data)
  • The Commissioner may request documents, obtain information, and have data processing activities explained. Federal authorities must cooperate in all investigations. (Art 27.3, Art 29.2, Switzerland Federal Act of 19 June 1992 on Data Protection (FADP))
  • In addition, organisations must retain records on the implementation of their EU-U.S. DPF practices and make them available upon request in the context of an investigation or a complaint about non-compliance to an independent dispute resolution body or competent enforcement authority. (2.2.7 (46), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Secondly, a subpoena may be issued by a grand jury (an investigative arm of the court impanelled by a judge or magistrate) in the context of investigations of certain serious crimes, usually at the request of a federal prosecutor, to require someone to produce or make available business records, ele… (3.1.1.1 (93), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • As indicated, criminal law enforcement authorities must in most cases obtain prior judicial authorisation to collect personal data. Although this is not required for administrative subpoenas, these are limited to specific situations and will be subject to independent judicial review at least where t… (3.1.3 (112), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • In particular, FISA and a related statute provides the possibility for individuals to bring a civil action for money damages against the United States when information about them has been unlawfully and wilfully used or disclosed; to sue U.S. government officials acting in their personal capacity fo… (3.2.3 (196), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Any complainant, as well as each element of the Intelligence Community, may seek review of the ODNI CLPO's decision before the Data Protection Review Court (DPRC). Such applications for review must be submitted within 60 days after receiving the notification from the ODNI CLPO that its review is com… (3.2.3 (184), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The Privacy Commissioner has, with regard to conducting investigations of a complaint, the power to summon and enforce personal appearances before the Privacy Commissioner and require the individual to provide written or oral evidence under oath and to produce any documents and "things" the Commissi… (§ 34(1), § 34(2), § 45, Canada Privacy Act, P-21)
  • assisting an investigation or proceeding in respect of a contravention of the laws of a foreign state that address conduct that is substantially similar to conduct prohibited under any of sections 6 to 9. (Section 15(3)(c), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • The general director of the Institute for Access to Public Information may, at any time before issuing a decision, request information that is necessary to resolve a complaint. (Art 31, Guanajuato Personal Data Protection Law)
  • The Institute must have access to the personal data systems that contain the information needed to resolve the appeal. This information will be kept confidential and will not be in the records. Resolutions issued by the Institute will be final, unassailable, and binding for the individuals and the p… (Art 39, The Personal Data Protection Law for the Federal District (Mexico City))
  • The organization should review complaints to ensure third parties are not misusing personal information. (Table Ref 7.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Personally identifiable information that is obtained in any manner other than a way stated in this section cannot be accepted as evidence in a trial, arbitration, hearing, or other proceeding in or before any grand jury, court, agency, regulatory body, legislative committee, department, officer, or … (§ 2710(d), 18 USC § 2710, Wrongful disclosure of video tape rental or sale records)
  • Privileged self-test reports or results may not be used or obtained by government agencies in an investigation or examination that relates to compliance with the Consumer Credit Reporting Act (the Act) or this regulation or by government agencies or applicants in proceedings or civil actions in whic… (§ 202.15(d), Equal Credit Opportunity Act (Reg. B))
  • Not more than 30 days after receiving a consumer information request resulting from a suspected unauthorized use of identity when purchasing goods, the business must provide a copy of the transaction to the alleged victim, to the Federal, State, or local law enforcement agency or officer specified b… (§ 151, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • Not more than 30 days after receiving a consumer information request resulting from a suspected unauthorized use of identity when purchasing goods, the business must provide a copy of the transaction to the alleged victim, to the Federal, State, or local law enforcement agency or officer specified b… (§ 609(e)(1), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • In order to help ensure compliance with their EU-U.S. DPF commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the EU-U.S. DPF when requested by the Department. In addition, organizations m… (III.11.c., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their EU-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent dispute resolution body responsible for investigating complaints or to t… (III.7.e., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member… (§ II.7.b., EU-U.S. Privacy Shield Framework Principles)
  • Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with u… (§ III.7.e., EU-U.S. Privacy Shield Framework Principles)
  • In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizat… (§ III.11.c., EU-U.S. Privacy Shield Framework Principles)
  • Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual questio… (§ III.11.d.i., EU-U.S. Privacy Shield Framework Principles)
  • Organizations must retain their records on the implementation of their Swiss-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non- compliance to the independent dispute resolution body responsible for investigating complaints or … (iii.7.e., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In order to help ensure compliance with their Swiss-U.S. DPF commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Swiss-U.S. DPF when requested by the Department. In addition, organizat… (iii.11.c., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In order to help ensure compliance with their EU-U.S. DPF commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the EU-U.S. DPF when requested by the Department. In addition, organizations m… (III.11.c., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their EU-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent dispute resolution body responsible for investigating complaints or to t… (III.7.e., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • A party may make a request to another party for production of documents for inspection and copying that are relevant and material to the issues before the ALJ. (§ 160.516(a), 45 CFR Part 160 - General Administrative Requirements)
  • Requests for documents, requests for admissions, written interrogatories, depositions and any forms of discovery, other than those permitted under paragraph (a) of this section, are not authorized. (§ 160.516(c), 45 CFR Part 160 - General Administrative Requirements)
  • When a request for production of documents has been received, within 30 days the party receiving that request must either fully respond to the request, or state that the request is being objected to and the reasons for that objection. If objection is made to part of an item or category, the part mus… (§ 160.516(e)(1), 45 CFR Part 160 - General Administrative Requirements)
  • Establish a process for receiving, documenting, tracking, investigating and acting on all complaints concerning the organization's privacy policies and procedures (T0895, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish a process for receiving, documenting, tracking, investigating and acting on all complaints concerning the organization's privacy policies and procedures (T0895, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Any person who is subpoenaed to produce relevant matter pursuant to division (C) of this section shall make that relevant matter available at a convenient location within this state or the state of the representative designated under division (D)(1) of this section. (§ 1349.191(D)(2), Ohio Revised Code, Title 13, Chapter 1349, Section 1349.191 Investigation of noncompliance with disclosure laws..)
  • The Court will require the data register, file, or bank to submit all information that concerns the plaintiff when an action is admitted. The Court also will be entitled to request information on the basic documentation about collecting the data, the technical support of the data, and other aspects … (§ 39, § 40, Argentina Personal Data Protection Act)