Back

Establish, implement, and maintain personal data choice and consent program.


CONTROL ID
12569
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy framework that protects restricted data., CC ID: 11850

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain data request procedures., CC ID: 16546
  • Refrain from discriminating against data subjects who have exercised privacy rights., CC ID: 13435
  • Refrain from charging a fee to implement an opt-out request., CC ID: 13877
  • Establish and maintain disclosure authorization forms for authorization of consent to use personal data., CC ID: 13433
  • Offer incentives for consumers to opt-in to provide their personal data to the organization., CC ID: 13781
  • Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data., CC ID: 00391
  • Confirm the individual's identity before granting an opt-out request., CC ID: 16813
  • Highlight the section regarding data subject's consent from other sections in contracts and agreements., CC ID: 13988
  • Allow consent requests to be provided in any official languages., CC ID: 16530
  • Notify interested personnel and affected parties of the reasons the opt-out request was refused., CC ID: 16537
  • Collect and retain disclosure authorizations for each data subject., CC ID: 13434
  • Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services., CC ID: 13605
  • Refrain from obtaining consent through deception., CC ID: 13556
  • Give individuals the ability to change the uses of their personal data., CC ID: 00469
  • Notify data subjects of the implications of withdrawing consent., CC ID: 13551


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the Notice and Choice Principle; (Part II Division 1 5. (1) (b), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Individuals shall have the right to be informed, the right to make decisions on the processing of their personal information, and the right to restrict or refuse the processing of their personal information by others, except as otherwise provided by laws or administrative regulations. (Article 44, Personal Information Protection Law of the People's Republic of China)
  • A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. (Article 50(8), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The right to consent or not, and to elect the scope of consent, to the processing of such personal information; (Article 4 ¶ 1 (2), Personal Information Protection Act)
  • to add his Singapore telephone number to a register; or (PART IX Division 2 Section 40 (1)(a), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • to add his Singapore telephone number to a register; or (§ 40.(1)(a), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and (§ 43.(4)(a), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user. (Art 94(2), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • Consumer control: allowing users to choose whether data is collected or transferred to non-affiliates (TC-IM-220a.1. 6.3, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
  • Consumer control: allowing users to choose whether data is collected or transferred to non-affiliates (TC-SI-220a.1. 6.3, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
  • Consumer control: allowing customers to choose whether data is collected or transferred to non-affiliates (TC-TL-220a.1. 6.3, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
  • Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information. (P5.1 ¶ 2 Bullet 3 Permits Data Subjects Access to Their Personal Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • any other prescribed information. (Section 10(1)(c), An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act)
  • The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal informatio… (P2.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Determination of potential opt-in considerations, based on information type, in analytics reports. (App A Objective 3:9f Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Work with legal counsel and management, key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements. (T0862, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Policies, processes, and procedures for enabling individuals' data processing preferences and requests are established and in place. (CT.PO-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Stakeholder privacy preferences are included in algorithmic design objectives and outputs are evaluated against these preferences. (CT.DM-P10, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals' data processing preferences and requests are established and in place. (CM.AW-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Work with legal counsel and management, key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements. (T0862, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information. (PT-4(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to selected elements of personally identifiable information. (PT-4(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • must be consumer-friendly and easy to use by the average consumer; (§ Section 6. (3)(b)(iii), Montana Consumer Data Privacy Act 2023)