Back

Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance.


CONTROL ID
12371
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Statement of Compliance., CC ID: 12499

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To certify under the EU-U.S. DPF (or re-certify on an annual basis), organisations are required to publicly declare their commitment to comply with the Principles, make their privacy policies available and fully implement them. As part of their (re-)certification application, organisations have to s… (2.3.1 (48), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Thirdly, individuals may also bring their complaints to a national DPA in the Union, which may make use of their investigatory and remedial powers under Regulation (EU) 2016/679. Organisations are obliged to cooperate in the investigation and the resolution of a complaint by a DPA either when it con… (2.4 (73), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). (§ 5.1.1 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The information security policies should be augmented by a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed between the public cloud PII processor and its clients (cloud service customers). (§ 5.1.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • the entity complied with the specified requirements, in all material respects, or (AT-C Section 315.20 f.ii.(1), SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • An identification of the specified requirements against which compliance was measured or evaluated. (AT-C Section 315.20 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Where the organization wishes its EU-U.S. DPF benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims … (III.6.c., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear clai… (§ III.6.c., EU-U.S. Privacy Shield Framework Principles)
  • Where the organization wishes its Swiss-U.S. DPF benefits to cover human resources information transferred from Switzerland for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear… (iii.6.c., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • A U.S. organization participating in the Swiss-U.S. DPF that uses Swiss human resources data transferred from Switzerland in the context of the employment relationship and that wishes such transfers to be covered by the Swiss-U.S. DPF must therefore commit to cooperate in investigations by and to co… (iii.9.d.ii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization wishes its EU-U.S. DPF benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims … (III.6.c., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)