Back

Destroy personal data that breaches privacy after the privacy breach has been detected.


CONTROL ID
00503
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Judicial authorities shall have the authority to order that pirated copyrighted goods and counterfeit trademark products be destroyed absent compensation of any sort. (Art 10 ¶ 1, Anti-Counterfeiting Trade Agreement)
  • Judicial authorities shall have the authority to order that the materials and equipment used to manufacture the counterfeit products be destroyed or disposed of absent undue delay and absent compensation. (Art 10 ¶ 2, Anti-Counterfeiting Trade Agreement)
  • The competent authorities shall have the authority to order products to be destroyed after determining that the products are infringing. (Art 20 ¶ 1, Anti-Counterfeiting Trade Agreement)
  • Each party shall ensure products that are not destroyed are disposed of outside commerce channels in order to avoid harm to the right holder. (Art 20 ¶ 1, Anti-Counterfeiting Trade Agreement)
  • (Art 4.2, Greece Law Protection of personal data and privacy in electronic telecommunications sector (Law 3471))
  • The court may order any data that appears to the court to be connected with the offense to be forfeited or destroyed and relevant data to be erased. If the data belongs to a person other than the person convicted of the offense, reasonable steps must be taken to notify that person and giving him/her… (§ 31(2), § 31(3), Ireland Consolidated Data Protection Acts of 1988 and 2003)
  • The supervisory authority may apply, at the County Administrative Court in the county where the authority is located, for erasure of personal data that has been processed in an unlawful manner. If erasure is unreasonable, a decision may not be issued. (§ 47, Sweden Personal Data Act (1998:204))
  • Secondly, individuals can also bring a complaint directly to the independent dispute resolution body (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropri… (2.4 (70), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • (§ 551(f), Cable Communications Privacy Act Title 47 § 551)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the EU-U.S. DPF. Organizations that have persistently failed to comply with the Principles will be removed from the Data Privacy Framework List by the Department and must return or delete th… (III.11.g.i., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List by the Department and must return or delete the per… (§ III.11.g.i., EU-U.S. Privacy Shield Framework Principles)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Swiss-U.S. DPF. Organizations that have persistently failed to comply with the Principles will be removed from the Data Privacy Framework List by the Department and must return or delete… (iii.11.g.i., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the EU-U.S. DPF. Organizations that have persistently failed to comply with the Principles will be removed from the Data Privacy Framework List by the Department and must return or delete th… (III.11.g.i., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The sanctions should include a requirement to delete personal data when necessary. (FAQ-Dispute Resolution and Enforcement "Remedies and Sanctions", US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Upon discovery of a data spill, mission owners should cryptographically erase unauthorized data by deleting the associated decryption key(s), consistent with NIST SP 800-88 Rev 1. Mission owners must also take any necessary steps to remove unauthorized data that may exist in an unencrypted state, su… (Section 5.7 ¶ 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Data spills that involve unauthorized data being stored in an unencrypted state in a CSO must be mitigated by the Mission Owner utilizing any available option to make such data unrecoverable. The response to such an event will likely be limited to methods that provide less assurance than cryptograph… (Section 5.7 ¶ 8, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)