Back

Respond to an investigative report in regards to a privacy rights violation complaint.


CONTROL ID
00496
CONTROL TYPE
Behavior
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An outsourcing agency that receives a recommendation from the commissioner must tell the commissioner of any actions the agency is planning on taking in relation to the recommendations inside of 60 days from receiving the recommendations and in writing. (§ 53A(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Decisions and/or tacit dismissals stated in Section 150.2 may be challenged by the data subject or data controller and they may file a petition pursuant to Section 152. The challenging will not suspend the enforcement of the decision. Courts will follow the procedures stated in Section 152. (§ 151, Italy Personal Data Protection Code)
  • The responsible parties referred to in Article 66(1) must have the opportunity to reply to the report in writing or orally within a reasonable period of time. If the responsible parties do not have an understanding of the Dutch language, they may request an interpreter from the Data Protection Commi… (Art 69, Netherlands Personal Data Protection Act, Session 1999-2000 Nr.92, REVISED BILL (as approved by the Lower House on 23 November 1999), Unofficial Translation)
  • If a recommendation is rejected or not complied with, the Commissioner may refer the case to the Federal Chancellery or the department for a decision. The affected persons will be notified of the decision. (Art 27.5, Art 29.4, Switzerland Federal Act of 19 June 1992 on Data Protection (FADP))
  • As part of its compliance review procedures, the DoC may verify that EU-U.S. DPF organisations are actually registered with the independent recourse mechanisms they claim they are registered with. Both the organisations and the responsible independent recourse mechanisms are required to respond prom… (2.4 (71), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • When a notice is requested under Section 35(1)(b), and the notice is not received by the Privacy Commissioner within the specified time period, or the described action in the notice is inappropriate or inadequate, in the Commissioner's opinion, or will not be taken in a reasonable time, the Commissi… (§ 35(3), § 36(5), § 43, Canada Privacy Act, P-21)
  • After receiving the Privacy Commissioner's report, a complainant may apply to the Court for a hearing about the complaint, or any matter was referred to in the report, and referred to in Schedule 1 Clauses 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7, or 4.8, in Schedule 1 Clauses 4.3, 4.5, or 4.9, as modified … (§ 14, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • If a civil suit is brought, a business may file an affidavit stating it has made a diligent effort to search for the applicable records and the records do not exist or are not reasonably available (§ 151, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • If a civil suit is brought, a business may file an affidavit stating it has made a diligent effort to search for the applicable records and the records do not exist or are not reasonably available. (§ 609(e)(10), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • If a court finds a customer has complied with section 3410(a), the court must order the Government authority to file a sworn response, which may be filed using a video recording, if deemed appropriate by the Government. If the court cannot determine the application or motion on the basis of the init… (§ 3410(b), Right to Financial Privacy Act)
  • In order to help ensure compliance with their EU-U.S. DPF commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the EU-U.S. DPF when requested by the Department. In addition, organizations m… (III.11.c., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the EU-U.S. DPF. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member St… (II.7.b., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their EU-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent dispute resolution body responsible for investigating complaints or to t… (III.7.e., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Swiss-U.S. DPF. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by the FDPIC… (ii.7.b, SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their Swiss-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non- compliance to the independent dispute resolution body responsible for investigating complaints or … (iii.7.e., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In order to help ensure compliance with their Swiss-U.S. DPF commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Swiss-U.S. DPF when requested by the Department. In addition, organizat… (iii.11.c., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • In order to help ensure compliance with their EU-U.S. DPF commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the EU-U.S. DPF when requested by the Department. In addition, organizations m… (III.11.c., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the EU-U.S. DPF. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member St… (II.7.b., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must retain their records on the implementation of their EU-U.S. DPF privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent dispute resolution body responsible for investigating complaints or to t… (III.7.e., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • After a report has been answered, the plaintiff may, within 3 days, add to the complaint by requesting the correction, deletion, confidentiality, or updating of personal data subject to this Act. This report must include the additional evidence and must be forwarded to the defendant for a 3-day term… (§ 42, Argentina Personal Data Protection Act)