Establish, implement, and maintain an authorized representatives policy.
CONTROL ID 13798
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a digital identity management program., CC ID: 13713
This Control has the following implementation support Control(s):
Include authorized representative life cycle management requirements in the authorized representatives policy., CC ID: 13802
Include any necessary restrictions for the authorized representative in the authorized representatives policy., CC ID: 13801
Include suspension requirements for authorized representatives in the authorized representatives policy., CC ID: 13800
Include the authorized representative's life span in the authorized representatives policy., CC ID: 13799
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager. (§ 6.(7), Digital Personal Data Protection Act, 2023, August 11, 2023)
A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder. (§ 14.(1), Digital Personal Data Protection Act, 2023, August 11, 2023)
Prior to making their systems available on the Union market, where an importer cannot be identified, providers established outside the Union shall, by written mandate, appoint an authorised representative which is established in the Union. (Article 25 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
The memorandum must show the terms and conditions of the order or instructions and of any modification or cancellation thereof, the account for which entered, the time the order was received, the time of entry, the price at which executed, the identity of each associated person, if any, responsible … (§ 240.17a-3 (a)(6)(i) (A), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, w… (§ 164.502(g)(4), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Implementation specification: Unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as… (§ 164.502(g)(3)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Implementation specification: Adults and emancipated minors. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under… (§ 164.502(g)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the covered entity may, in the exercis… (§ 164.510(b)(3), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, … (§ 164.510(b)(1)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. (§ 164.508(c)(1)(vi), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
The CSP SHALL establish written policy and procedures as to how a trusted referee is determined and the lifecycle by which the trusted referee retains their status as a valid referee, to include any restrictions, as well as any revocation and suspension requirements. (5.3.4 2, Digital Identity Guidelines: Enrollment and Identity Proofing, NIST SP 800-63A)
A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with section 5 of this act to exercise the rights of such consum… (§ 4 (b), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to opt out of the processing of such consumer's personal data for one or more of the purposes specified in subdivision (5) of subsection (a) of section 4 of this act. The consumer … (§ 5, Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with section 5 of this act to exercise the rights of such consum… (§ 4 (b), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to opt out of the processing of such consumer's personal data for one or more of the purposes specified in subdivision (5) of subsection (a) of section 4 of this act. The consumer … (§ 5, Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with § 12D-105 of this chapter to exercise the rights of such c… (§ 12D-104.(b), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
A consumer may designate an authorized agent to act on the consumer's behalf to opt out of the processing of such consumer's personal data for one or more of the purposes specified in paragraph (a)(5) of § 12D-104 of this chapter. The consumer may designate such authorized agent by way of, among ot… (§ 12D-105.(a), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on such consumer's behalf. The Department of Justice may publish or r… (§ 12D-105.(b), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with § 12D-105 of this title to exercise the rights of such con… (§ 12D-104.(b), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
A consumer may designate an authorized agent to act on the consumer's behalf to opt out of the processing of such consumer's personal data for 1 or more of the purposes specified in § 12D-104(a)(6) of this title. The consumer may designate such authorized agent by way of, among other things, a plat… (§ 12D-105.(a), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially-reasonable effort, the identity of the consumer and the authorized agent's authority to act on such consumer's behalf. The Department of Justice may publish or r… (§ 12D-105.(b), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
A consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller which specifies the consumer rights that the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or lega… (§ 501.705(1), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
A consumer may invoke one (1) or more rights set forth in subsection (b) by submitting to a controller a request specifying the rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke on behalf of the child one (1) or more rights set forth in subsection (b) with res… (IC 24-15-3-1(a), Indiana Code, Title 24, Article 15, Consumer Data Protection)
A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to the controller, through the means specified by the controller pursuant to section 715D.4, subsection 6, specifying the consumer rights the consumer wishes to invoke. A known child's p… (§ 715D.3.1., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data for one or more of the purposes specified in [section 5(1)(e)]. The consumer may designate an authorized agent by way of a… (§ Section 6. (1), Montana Consumer Data Privacy Act)
A parent or legal guardian of a known child may exercise the consumer rights on the known child's behalf regarding the processing of personal data. (§ Section 5. (3)(b), Montana Consumer Data Privacy Act)
A consumer may designate an authorized agent in accordance with [section 6] to exercise the rights of the consumer to opt out of the processing of the consumer's personal data under subsection (1)(e) on behalf of the consumer. (§ Section 5. (3)(a), Montana Consumer Data Privacy Act)
A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement, may exercise the rights on the consumer's behalf regarding the processing of personal data. (§ Section 5. (3)(c), Montana Consumer Data Privacy Act)
A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data for one or more of the purposes specified in [section 5(1)(e)]. The consumer may designate an authorized agent by way of a… (§ Section 6. (1), Montana Consumer Data Privacy Act 2023)
A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to opt-out of the processing of such consumer's personal data for one or more of the purposes specified in RSA 507-H:4, I(e). The consumer may designate such authorized agent by wa… (§ 507-H:5 ¶ 1, New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
A consumer may exercise rights under this section by a secure and reliable means established by the secretary of state and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with RSA 507-H:5 to exercise the rights of such consumer… (§ 507-H:4 II., New Hampshire Statutes, Title LII, Chapter 507-H, Expectation of Privacy)
A consumer may designate another person to act on the consumer's behalf as the consumer's authorized agent for the purpose of opting out of a controller's processing of the consumer's personal data, as provided in section 3 (1)(d) of this 2023 Act. The consumer may designate an authorized agent by m… (Section 4 (4), 82nd Oregon Legislative Assembly, Senate Bill 619)
A consumer may designate another person to act on the consumer's behalf as the consumer's authorized agent for the purpose of opting out of a controller's processing of the consumer's personal data, as provided in section 3 (1)(d) of this 2023 Act. The consumer may designate an authorized agent by m… (Section 4 (4), 82nd Oregon Legislative Assembly, Senate Bill 619)
A parent or legal guardian may exercise the rights described in section 3 of this 2023 Act on behalf of the parent's child or on behalf of a child for whom the guardian has legal responsibility. A guardian or conservator may exercise the rights described in subsection (1) of this section on behalf o… (Section 4 (3), 82nd Oregon Legislative Assembly, Senate Bill 619)
In addition to the information and fee described in paragraph (a) of this subsection, a representative who seeks to place a security freeze on a protected consumer's consumer report or protective record shall provide sufficient proof of the representative's authority to act on the protected consumer… (§ 646.606(3)(b)(A), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
A consumer may invoke the consumer rights authorized pursuant to subdivision (a)(2) at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke the consumer rights authorized pursuant to subdivi… (§ 47-18-3203.(a)(1), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data under Sections 541.051(b)(5)(A) and (B). A consumer may designate an authorized agent using a technology, including a link… (§ 541.055 (e), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
A consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian… (§ 541.051 (a), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data under Sections 541.051(b)(5)(A) and (B). A consumer may designate an authorized agent using a technology, including a link… (§ 541.055 (e), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
In the case of processing personal data concerning a known child, the parent or legal guardian of the known child shall exercise a right on the child's behalf. (13-61-202 (2), Utah Code, Title 13, Chapter 61, Utah Consumer Privacy Act)
A consumer may invoke the consumer rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding… (§ 59.1-577.A., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act, April 11, 2022)
