The system must specify the purpose of personal data collection (OECD.9, ISACA.G31.3.), and it must do so before requesting the user’s consent for the collection.
Applications usually request or collect personal data from their users. Such collection must be properly justified according to the legal requirements of each nation. These reasons must be accessible for the user in a clear manner, using easily understandable language and before requesting their consent for the collection and processing of data.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 6: Traffic data.(4) The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 9: Location data other than traffic data.(1) The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.
GDPR. Art. 13: Information to be provided where personal data are collected from the data subject.(1-3). Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information.
GDPR. Art. 14: Information to be provided where personal data have not been obtained from the data subject.(1-4). Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information.
GDPR. Art. 30: Records of processing activities. Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
GDPR. Recital 39: Principles of data processing. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.
GDPR. Recital 40: Lawfulness of data processing. In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis.
GDPR. Recital 45: Fulfillment of legal obligations. Where processing is carried out in accordance with a legal obligation to which the controller is subject, the processing should have a basis in Union or Member State law.
ISO 27001:2013. Annex A - 18.1.4 When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulation.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.3) Verify that users are provided clear language regarding collection and use of supplied personal information and that users have provided opt-in consent for the use of that data before it is used in any way.