R315. Provide processed data information

Requirement

The system must provide information about the personal data that it processes. Additionally, this information should be presented to the user before requesting their consent for its collection or processing.

Description

Systems usually request information from their users, obtain it from third parties or collect it based on their interactions with the application. They should have a mechanism that allows users to find out about the following aspects of the personal information that they process:

  1. The purpose of the processing of the data.

  2. The categories of processed data.

  3. The actors who will have access to the information.

  4. If possible, the time for which the data will be managed/processed.

  5. The possibility to request erasure or rectification.

  6. If the data was obtained from a third party, information about the third party.

Furthermore, the data should be presented in a clear manner, in a structured format and using easily understandable language.

Exceptions

  1. If the system is able to demonstrate that it is not possible to individually identify users based on the information collected from them, this requirement is not applicable.

  2. The processing of the personal information might have scientific, historical research or statistical purposes. If the system properly safeguards this information and if complying with this requirement seriously impairs these purposes, this requirement is not applicable.

  3. The processing of personal information might have archiving purposes in the public interest. If the system properly safeguards this information and if complying with this requirement seriously impairs these purposes, this requirement is not applicable.

References

  1. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 6: Traffic data.(4) The service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing for the purposes mentioned in paragraph 2 and, prior to obtaining consent, for the purposes mentioned in paragraph 3.

  2. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 9: Location data other than traffic data.(1) The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

  3. GDPR. Art. 11: Processing which does not require identification.(2). Where the controller is able to demonstrate that it is not in a position to identify the data subject, articles 15 to 20 shall not apply.

  4. GDPR. Art. 15: Right of access by the data subject.(1)(a-g). The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

  5. GDPR. Art. 20: Right to data portability.(1). The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.

  6. GDPR. Art. 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.(2). Where personal data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21.

  7. GDPR. Art. 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.(3). Where personal data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21.

  8. ISO 27001:2013. Annex A - 18.1.4 When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulations.

  9. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.4) Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy