Back

Define the appeal process based on the applicable law.


CONTROL ID
00506
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Develop remedies and sanctions for privacy policy violations., CC ID: 00474

This Control has the following implementation support Control(s):
  • Define the fee structure for the appeal process., CC ID: 16532
  • Define the time requirements for the appeal process., CC ID: 16531
  • Disseminate and communicate instructions for the appeal process to interested personnel and affected parties., CC ID: 16544
  • Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties., CC ID: 16542


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An authorized person or agency may appeal to the administrative court inside of 1 month of being notified or becoming aware of a warrant, directive, or order. (§ 18(1), South African Interception of Communications Act, No 6/2007)
  • The administrative court may confirm, vary, or set aside the warrant, directive, or order from any appeal and make order to the costs. (§ 18(2), South African Interception of Communications Act, No 6/2007)
  • stating that the individual has 7 days after the receipt of the notice within which to show cause why that action should not be taken; and (Part 6 Section 30(5)(a)(ii), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against and it shall be in such form and manner and shall be accompanied by such fee as may be prescribed. (§ 29.(2), Digital Personal Data Protection Act, 2023, August 11, 2023)
  • Where a data subject suffers damage out of loss, theft, divulgence, forgery, alteration, or damage of his/her own personal information, caused by wrongful intent or negligence of a personal information controller, the Court may determine the damages not exceeding three times such damage: Provided, T… (Article 39(3), Personal Information Protection Act)
  • must be made in the form and manner required by the Commission; and (§ 48N.(4)(b), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in a… (§ 48N.(2), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • subject to subsection (5), must be submitted to the Commission within the prescribed period; (§ 48N.(4)(a), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • must set out the grounds on which the applicant is requesting the reconsideration. (§ 48N.(4)(c), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • An application may be made to the administrative appeals tribunal to review the information commissioner's decision, when he or she refuses to approve the issue of guidelines under section 95(1). (§ 95(5), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An application may be made to the administrative appeals tribunal to review the commissioner's decision to refuse to approve or revoke an approval of guidelines about health information. (§ 95A(7), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An application may be made to the administrative appeals tribunal to review the commissioner's decision to refuse to approve guidelines about genetic information. (§ 95AA(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • Member States shall ensure that an appeal procedure against decisions of the notified bodies is available to parties having a legitimate interest in that decision. (Article 45 ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. (Art. 78.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this R… (Art. 79.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Appeals may be made by anyone to the Federal Commissioner for Data Protection, if he/she believes his/her rights were infringed upon during the collection, processing, or use of his/her personal data by public bodies of the Federation. This applies to collecting, processing, or using personal data b… (§ 21, German Federal Data Protection Act, September 14, 1994)
  • Appeals may be made before the "Conseil d'Etat" against any penalty on the grounds of both fact and law. (Art 46, France Data Processing, Data Files and Individual Liberties)
  • The Commission Nationale's administrative sanctions may be appealed in accordance with Article 3 of the Law of 7 November 1996. (Art 33(2), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • Appeals may be made to and heard and determined by the Court against requirements in an enforcement or information notice; prohibitions in a prohibition notice; refusals by the Commissioner; and decisions by the Commissioner in relation to a complaint. These appeals must be brought within 21 days fr… (§ 12A(8), § 26, Ireland Consolidated Data Protection Acts of 1988 and 2003)
  • Decisions of the Data Protection Agency may be appealed. (Art 18.4, ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data)
  • Decisions by the supervisory authority may be appealed against to a general administrative court. Even if a decision has been appealed against, the supervisory authority may decide that its decision should apply. (§ 51, Sweden Personal Data Act (1998:204))
  • Rulings of the executive member of the Data Protection Commission are subject to appeal ("Note that this is not a regular form of appeal, but a special remedy called "Vorstellung" used in conjunction with the Mandatsbescheid. The decision of the executive member is appealed before the Data Protectio… (§ 40, Austria Data Protection Act)
  • Decisions of the Finnish Communications Regulatory Authority or the Data Protection Ombudsman that are taken under this Act may be appealed in compliance with the Administrative Judicial Procedure Act. Appellate authorities may prohibit enforcement of the decision until the appeal has been resolved. (§ 43, Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • The decisions made by the Data Protection Ombudsman (section 40(2) and Data Protection Board (sections 43 and 44) may be appealed in accordance with the Administrative Judicial Procedure Act (586/1996). The decision of the Data Protection Board stated in section 43 may be appealed by the Data Protec… (§ 45, Finland Personal Data Protection Act (523/1999))
  • Persons who are served an enforcement notice, an information notice, or a special information notice may appeal against the notice to the Tribunal. Persons who are served an enforcement notice may make an appeal to the Tribunal against the refusal of an application under section 41(2) for variation … (§ 48, § 49, UK Data Protection Act of 1998)
  • Any complainant, as well as each element of the Intelligence Community, may seek review of the ODNI CLPO's decision before the Data Protection Review Court (DPRC). Such applications for review must be submitted within 60 days after receiving the notification from the ODNI CLPO that its review is com… (3.2.3 (184), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Appeals brought as a result of an application under Section 51(1) must be heard on camera and, upon request of the head of the concerned government institution, be heard and determined in the National Capital Region described in the National Capital Act. During the hearing, the head of the concerned… (§ 51(2), § 51(3), Canada Privacy Act, P-21)
  • Resolutions of the State Commission for Access to Public Information may be appealed to the Court of Administrative Disputes. (Art 23, Colima Personal Data Protection Law (Decree No. 356))
  • The applicant may file an appeal for revocation that will be substantiated under the established terms of the Transparency and Access to Public Information Law of the Federal District and the Internal Regulation of the Institute. (Art 40, The Personal Data Protection Law for the Federal District (Mexico City))
  • Individuals are notified, in writing, about the reason a correction request was denied and the procedures for appealing. (Generally Accepted Privacy Principles and Criteria § 6.2.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should provide individuals with an appeal process when access to personal information is denied. (Table Ref 6.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should have implemented procedures to use a third party resolution service in cases where the individual is not satisfied with the organization's resolution. (Table Ref 10.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • § 422.202(a)(4): A Medicare Advantage (MA) organization must provide for the participation of individual physicians by implementing a process to appeal adverse participation procedures, including the right to present information and their views on a decision. § 422.311(b)(3): A MA organization ma… (§ 422.202(a)(4), § 422.311(b)(3), § 422.311(1)(vii)(B), § 422.311(2)(i), § 422.311(2)(ii), § 422.311(2)(iii), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • The nature of the final adverse action and whether such action is on appeal. (§ 1128E(b)(2)(C), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • Court rulings that deny a motion or applications will not be deemed a final order, and no interlocutory appeal may be made by the customer. Appeals of rulings that deny a motion or application may be made by the customer within the time period provided by law as part of any appeal from a final order… (§ 3410(d), Right to Financial Privacy Act)
  • If the data integrity board rejects a matching agreement, it may be appealed to the director of the Office of Management and Budget (OMB). Timely notice of the filing shall be provided by the director of OMB to the Committee on Government Operations of the House of Representatives and the Committee … (§ 552a(u)(5)(A), 5 USC § 552a, Records maintained on individuals (Privacy Act of 1974))
  • The organization should maintain an appeals procedure for personnel whose credentials are denied or revoked. (§ 2.4 ¶ 3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer's receipt of the notice sent by the controller under subsection (2)(b) … (§ 6-1-1306 (3)(a), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. The controller may extend the forty-five-day period by sixty additional da… (§ 6-1-1306 (3)(b), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer's receipt of the notice sent by the controller under subsection (2)(b) … (§ 6-1-1306 (3)(a), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 4 (d), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than forty-five days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision. (§ 4 (c)(2), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 4 (d), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision. (§ 12D-104.(c)(2), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 12D-104.(d), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 12D-104.(d), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision under s. 501.706(3). (§ 501.707(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (§ 501.707(2), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • If a controller cannot take action regarding the consumer's request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instruction… (§ 501.706(3), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision under s. 501.706(3). (§ 501.707(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under s. 501.705. (§ 501.707(2), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • A controller shall establish a process for a consumer to appeal, within a reasonable period of time after the consumer's receipt of a decision by the controller under subsection (c)(2), the controller's refusal to take action on a request by the consumer under this section. The appeal process shall … (IC 24-15-3-1(d), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • A controller shall establish a process for a consumer to appeal, within a reasonable period of time after the consumer's receipt of a decision by the controller under subsection (c)(2), the controller's refusal to take action on a request by the consumer under this section. The appeal process shall … (IC 24-15-3-1(d), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay of the justification for declining to take action, except in the case of a suspected fraudulent request, in which case the controller may state that the controller w… (§ 715D.3.2.b., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to this section. The appeal process shall be conspicuously available and similar to the proces… (§ 715D.3.3., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to this section. The appeal process shall be conspicuously available and similar to the proces… (§ 715D.3.3., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to act on a request within a reasonable period after the consumer's receipt of the decision. The appeal process must be conspicuously available and like the process for submitting requests to initiate action pur… (§ Section 5. (5), Montana Consumer Data Privacy Act)
  • If a controller declines to act regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to act and provide instructions for how to appeal the decision. (§ Section 5. (4)(b), Montana Consumer Data Privacy Act 2023)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to act on a request within a reasonable period after the consumer's receipt of the decision. The appeal process must be conspicuously available and like the process for submitting requests to initiate action pur… (§ Section 5. (5), Montana Consumer Data Privacy Act 2023)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests… (§ 507-H:4 IV., New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • A controller shall establish a process by means of which a consumer may appeal the controller's refusal to take action on a request under subsection (1) of this section. The controller's process must: (Section 4 (6), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Allow a reasonable period of time after the consumer receives the controller's refusal within which to appeal; (Section 4 (6)(a), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Be similar to the manner in which a consumer must submit a request under subsection (1) of this section; and (Section 4 (6)(c), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Be conspicuously available to the consumer; (Section 4 (6)(b), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • A controller shall establish a process by means of which a consumer may appeal the controller's refusal to take action on a request under subsection (1) of this section. The controller's process must: (Section 4 (6), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Allow a reasonable period of time after the consumer receives the controller's refusal within which to appeal; (Section 4 (6)(a), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Be similar to the manner in which a consumer must submit a request under subsection (1) of this section; and (Section 4 (6)(c), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • Be conspicuously available to the consumer; (Section 4 (6)(b), 82nd Oregon Legislative Assembly, Senate Bill 619)
  • If a controller declines to take action regarding the consumer's request, then the controller shall inform the consumer without undue delay, but in all cases and at the latest within forty-five (45) days of receipt of the request, of the justification for declining to take action and instructions fo… (§ 47-18-3203.(b)(2), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). The appeal process must be made available to the consumer in a conspicu… (§ 47-18-3203.(c), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). The appeal process must be made available to the consumer in a conspicu… (§ 47-18-3203.(c), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, which may not be later than the 45th day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how… (§ 541.052 (c), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision under Section 541.052(c). (§ 541.053 (a), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under Section 541.051. (§ 541.053 (b), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision under Section 541.052(c). (§ 541.053 (a), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under Section 541.051. (§ 541.053 (b), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision B 2. The appeal process shall be conspicuously available and similar to the pro… (§ 59.1-577.C., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision B 2. The appeal process shall be conspicuously available and similar to the pro… (§ 59.1-577.C., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)
  • The educational agency or institution shall give the parent or eligible student a full and fair opportunity to present evidence relevant to the issues raised under § 99.21. The parent or eligible student may, at their own expense, be assisted or represented by one or more individuals of his or her … (§ 99.22 ¶ 1(d), 34 CFR Part 99, Family Educational Rights and Privacy)