Back

Include independent recourse mechanisms in the privacy policy, as necessary.


CONTROL ID
12366
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define what is included in the privacy policy., CC ID: 00404

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • that the APP privacy policy of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint; (Schedule 1 Part 2 Clause 5 Subclause 5.2(h), Australian Privacy Act 1988, Compilation No. 77)
  • Organisations may choose independent recourse mechanisms in either the Union or in the United States. As explained in more detail in recital 73, this includes the possibility to voluntarily commit to cooperate with the EU DPAs. Where organisations process human resources data, such commitment to coo… (2.4 (67), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Firstly, Union data subjects may pursue cases of non-compliance with the Principles through direct contacts with the EU-U.S. DPF organisations. To facilitate resolution, the organisation must put in place an effective redress mechanism to deal with such complaints. An organisation's privacy policy m… (2.4 (69), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • the independent recourse mechanism that is available to investigate unresolved complaints. (§ III.6.b.iii.7., EU-U.S. Privacy Shield Framework Principles)
  • Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual questio… (§ III.11.d.i., EU-U.S. Privacy Shield Framework Principles)
  • An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records… (§ III.15.a., EU-U.S. Privacy Shield Framework Principles)
  • Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. (§ II.7.c., EU-U.S. Privacy Shield Framework Principles)
  • This list is intended to be illustrative and not limiting. The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles. Please note that the Recourse, Enforcemen… (§ III.11.b., EU-U.S. Privacy Shield Framework Principles)
  • Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains]. (SC-49 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains]. (SC-49 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)