Back

Cooperate with Data Protection Authorities.


CONTROL ID
06870
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Require data controllers to be accountable for their actions., CC ID: 00470

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Moreover, every organisation should appoint a Data Protection Officer (bDSB) in the company and/or government agency. Many tasks are similar; thus, ISO and bDSB should cooperate closely. The bDSB, like the ISO, must have the direct right of recitation at any time with the management of the public ag… (§ 4.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor. (§ 65(5), UK Data Protection Act 2018 Chapter 12)
  • Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner's tasks. (§ 63 ¶ 1, UK Data Protection Act 2018 Chapter 12)
  • The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor. (§ 65(5), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner's tasks. (§ 63 ¶ 1, UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Thirdly, individuals may also bring their complaints to a national DPA in the Union, which may make use of their investigatory and remedial powers under Regulation (EU) 2016/679. Organisations are obliged to cooperate in the investigation and the resolution of a complaint by a DPA either when it con… (2.4 (73), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Organisations may choose independent recourse mechanisms in either the Union or in the United States. As explained in more detail in recital 73, this includes the possibility to voluntarily commit to cooperate with the EU DPAs. Where organisations process human resources data, such commitment to coo… (2.4 (67), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The requirements laid down in this Executive Order issued by the President are binding on the entire Intelligence Community. They must be further implemented through agency policies and procedures that transpose them into concrete directions for day-to-day operations. In this respect, EO 14086 provi… (3.2.1.1 (126), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • elects to satisfy the requirement in points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs; (III.5.b.i., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization that wishes its EU-U.S. DPF benefits to cover human resources data transferred from the EU in the context of the employment relationship must commit to cooperate with the DPAs with regard to such data (see Supplemental Principle on Human Resources Data). (III.5.d., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • commitment to cooperate with DPAs located in the EU or their authorized representatives. (III.11.a.(iii), EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member… (§ II.7.b., EU-U.S. Privacy Shield Framework Principles)
  • Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with u… (§ III.7.e., EU-U.S. Privacy Shield Framework Principles)
  • A U.S. organization participating in the Privacy Shield that uses EU human resources data transferred from the European Union in the context of the employment relationship and that wishes such transfers to be covered by the Privacy Shield must therefore commit to cooperate in investigations by and t… (§ III.9.d.ii., EU-U.S. Privacy Shield Framework Principles)
  • The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both … (§ III.11.a., EU-U.S. Privacy Shield Framework Principles)
  • In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizat… (§ III.11.c., EU-U.S. Privacy Shield Framework Principles)
  • elects to satisfy the requirement in points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the FDPIC; (iii.5.b.i., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization that wishes its Swiss-U.S. DPF benefits to cover human resources data transferred from Switzerland in the context of the employment relationship must commit to cooperate with the FDPIC with regard to such data (see Supplemental Principle on Human Resources Data). (iii.5.d., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • commitment to cooperate with the FDPIC or its authorized representative. (iii.11.a.(iii), SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • elects to satisfy the requirement in points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs; (III.5.b.i., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • An organization that wishes its EU-U.S. DPF benefits to cover human resources data transferred from the EU in the context of the employment relationship must commit to cooperate with the DPAs with regard to such data (see Supplemental Principle on Human Resources Data). (III.5.d., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • commitment to cooperate with DPAs located in the EU or their authorized representatives. (III.11.a.(iii), UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization may commit to cooperate with Data Protection Authorities by stating in the safe harbor certification that it will satisfy the requirements in points (a) and (c) of the safe harbor enforcement principle by committing to cooperate with the Data Protection Authorities. (FAQ-The Role of the Data Protection Authorities ¶ 2.1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The organization may satisfy the requirements for points (a) and (c) of the enforcement principle by committing to cooperate with the European Union Data Protection Authorities or their authorized representatives. (FAQ-Dispute Resolution and Enforcement ¶ 1(3), US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The organization may commit to cooperate with Data Protection Authorities by stating in the safe harbor certification that it will cooperate with the Data Protection Authorities on investigating and resolving complaints. (FAQ-The Role of the Data Protection Authorities ¶ 2.2, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The organization may commit to cooperate with Data Protection Authorities by stating in the safe harbor certification that it will comply with the advice from the Data Protection Authority, including remedial or compensatory measures, and will provide written confirmation that the action has been ta… (FAQ-The Role of the Data Protection Authorities ¶ 2.3, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • An organization may satisfy points (a) and (c) of the enforcement principle by cooperating with the Data Protection Authorities in accordance with this faq. (FAQ-The Role of the Data Protection Authorities ¶ 1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed (GV.OC-03, Framework for Improving Critical Infrastructure Cybersecurity, v2.0)
  • engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, (§ 10 (a)(10), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, (§ 10 (a)(10)(A), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, (§ 10 (a)(10), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, ( (§ 10 (a)(10)(A), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Engage in public or peer-reviewed scientific research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines whether the deletion of the information is likely to provide substantial… (§ 12D-110.(a)(10), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Engage in public or peer-reviewed scientific research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines whether the deletion of the information is likely to provide substantial… (§ 12D-110.(a)(10), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Engage in public or peer-reviewed scientific or statistical research in the public interest which adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines: (§ 501.716(1)(h), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Engage in public or peer reviewed scientific or statistical research that is in the public interest and that adheres to all applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or a similar independent oversight entity, that determines if: (IC 24-15-8-1(a)(8), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine the following: (§ 715D.7.1.j., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine the following: (§ 715D.7.1.j., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines or similar independent oversight entities that determine: (§ Section 11. (1)(j), Montana Consumer Data Privacy Act)
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine; (§ 507-H:10 I.(j), New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
  • Engage in public- or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entity that determines whether: (§ 47-18-3208.(a)(8), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • Engage in public- or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entity that determines whether: (§ 47-18-3208.(a)(8), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines: (§ 541.201 (a)(8), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: (i) if the del… (§ 59.1-582.A.8., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine: (i) if the del… (§ 59.1-582.A.8., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)