R313. Inform inability to identify users

Requirement

The system must inform the users whenever it can demonstrate its inability to individually identify them using the information it has collected from them.

Description

Systems usually request information from the users or collect it based on their interactions with the application. Some regulations related to the collection of personal data are only applicable if the user can be identified using this data. Whenever the system is unable to individually identify its users with the data it collects from them, and it can demonstrate it, it must inform them of this situation.

References

  1. GDPR. Art. 11: Processing which does not require identification.(2). Where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.

  2. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.4) Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy