Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

A.8
ISO 27018

Openness, transparency and notice

A.8.1
ISO 27018

Disclosure of sub-contracted PII processing

A.8.5.6
ISO 27701

Disclosure of subcontractors used to process PII

A.8.5.7
ISO 27701

Engagement of subcontractor to process PII

A.8.5.8
ISO 27701

Change of subcontractor to process PII

Other tasks from the same security theme

Privacy notices -report publishing and maintenance

Critical
High
Normal
Low

With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.

Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:

  • where the data were obtained
  • which categories of personal data are covered
14. Information to be provided where personal data have not been obtained from the data subject
GDPR
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
13. Information to be provided where personal data are collected from the data subject
GDPR
18.1.4: Privacy and protection of personally identifiable information
A.12.1: Geographical location of PII
ISO 27018

Notification channel for the registered for reporting privacy problems

Critical
High
Normal
Low

The organization has created and communicated to registered users a process through which they can report questions, complaints or disputes related to data protection.

The organization has rules of procedure for handling, resolving and communicating issues that come to this channel. Valid issues that arise can be handled, for example, through the general non-conformity management process.

No items found.

Rekisteröidyn käytettävissä olevien oikeuksien tunnistaminen

Critical
High
Normal
Low

Organisaatio on määritellyt tunnistamansa henkilötietojen käyttötarkoituksen oikeusperusteen huomioiden, mitkä rekisteröidyn oikeudet liittyvät kyseiseen käsittelyyn.

Rekisteröity ei voi käyttää kaikkia oikeuksiaan kaikissa tilanteissa. Se, mitä oikeuksia rekisteröity voi kulloinkin käyttää, riippuu siitä, millä perusteella kyseessä olevia henkilötietoja käsitellään. Organisaatio voi hyödyntää tietosuojaviranomaisten ohjeistuksia siitä, kuinka käsittelyperuste vaikuttaa käytettävissä oleviin oikeuksiin. Oikeuksiin voi olla lisäksi säädetty poikkeuksia organisaatiota koskevassa erityislainsäädännössä tai niiden toteuttamisesta mahdollista kieltäytyä vahvoin perustein yksittäistapauksissa.

No items found.

Yhteisrekisterinpitäjänä toimiminen

Critical
High
Normal
Low

Toimiessaan yhteisrekisterinpitäjänä organisaatio määrittelee läpinäkyvällä järjestelyllä muiden yhteisrekisterinpitäjien kanssa rekisterinpitäjien velvoitteiden noudattamisesta sekä rekisteröityjen informoinnista.

Organisaatio voi esimerkiksi tehdä sopimuksen eri yhteisrekisteripitäjien kanssa tai dokumentoida kirjallisesti yhteisrekisterinpitäjyyteen liittyvät menettelyt sekä julkaista ne verkossa ja asettaa saataville toimipisteissä.

No items found.

Securely delivering a copy of data subject's personal data

Critical
High
Normal
Low

The organization must be able to provide the data subject with a copy of the personal data being processed at the data subject's request.

The organization must plan in advance a process by which a copy of the personal data can be delivered in a structured and commonly used format and securely to the data subject.

A.7.3.8: Providing copy of PII processed
ISO 27701

Informing third parties about relevant changes to personal data

Critical
High
Normal
Low

The organization should have pre-planned procedures for situations where third parties need to be notified of changes, deletions and prohibitions regarding shared personal data.

These parties can be, for example, partners who process data or organizations to which personal data has been disclosed forward.</p>

A.7.3.7: PII controllers' obligations to inform third parties
ISO 27701

Process for data subjects to rectify inaccurate personal data

Critical
High
Normal
Low

Registrants should be offered a mechanism by the organization to view and correct their personal data.

A.7.3.6: Access, correction and/or erasure
ISO 27701

Process for data subjects to object processing

Critical
High
Normal
Low

Data subjects should be offered a clear means by which they can object to the processing of personal data.

The implementation method for objecting to processing may vary, but it should be in line with the way of using the service offered (e.g. in online services, objecting to processing should also be possible online).

A.7.3.5: Providing mechanism to object to PII processing
ISO 27701

Process for data subjects to edit or cancel a consent

Critical
High
Normal
Low

When personal data is processed on the basis of the data subject's consent, the organization should provide data subjects with a clear process for editing or withdrawing their consent. Editing may also mean limiting the processing of personal data, which may affect the controller's right to delete the data in question.

The process should include recording requests for editing in a way similar to recording consent. Changes to consent must be communicated to all relevant data systems, authorized users and third parties. The process should also define the response time in which the requests should be processed.

N.b.! Different jurisdictions may have restrictions on how and when the data subject can modify their consent.

A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701

Listing of non-recurring data disclosures and contractual commitment to informing them to customers

Critical
High
Normal
Low

The organization must have clear procedures for situations where the organization is required by law to disclose personal information to the authorities. In addition, a list must be kept of these individual data disclosures.

The organization shall pay particular attention to the communication of these situations and the timing of the communication to interested customers, unless this is illegal due to, for example, an ongoing investigation or other legal matter.

These practices must be describeable to interested customers upon request. Procedures and reporting obligations must be described, e.g. contracts for offered digital services.

A.6.1: PII disclosure notification
ISO 27018
A.6.2: Recording of PII disclosures
ISO 27018
A.6: Use, retention and disclosure limitation
ISO 27018
A.8.5.1: Basis for PII transfer between jurisdictions
ISO 27701
A.8.5.4: Notification of PII disclosure requests
ISO 27701

Informing the controller of the processors of personal data

Critical
High
Normal
Low

The organization must define procedures for informing the controller of all processors of personal data before processing begins.

The notification shall include the data processed by the processors and the purposes for which they process the data.

A.8: Openness, transparency and notice
ISO 27018
A.8.1: Disclosure of sub-contracted PII processing
ISO 27018
A.8.5.6: Disclosure of subcontractors used to process PII
ISO 27701
A.8.5.7: Engagement of subcontractor to process PII
ISO 27701
A.8.5.8: Change of subcontractor to process PII
ISO 27701

Documentation of personal data sources for data systems

Critical
High
Normal
Low

Understanding data sources is important for understanding data flow. In addition, data protection communications shall be able to communicate the sources of personal data in cases where the data have not been collected directly from the data subject himself.

14. Information to be provided where personal data have not been obtained from the data subject
GDPR
A.7.3.3: Providing information to PII principals
ISO 27701

Data erasure processes and the "right to be forgotten"

Critical
High
Normal
Low

In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:

  • the processing is based on consent (and there is no other reason for processing) and the data subject withdraws her consent
  • the data subject objects to the processing of his or her personal data for the purposes of direct marketing or otherwise exercises his or her right of objection and there is no valid reason for such processing
  • personal data have been collected in connection with the provision of information society services

We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the deletion of data
  • the means by which the identity of the sender of the request for information is verified
  • persons assisting the contact person of the databank in processing the request
  • the means by which data are securely and permanently deleted and the data subject is informed
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.3.6: Access, correction and/or erasure
ISO 27701
A.8.2.3: Marketing and advertising use
ISO 27701

Process for receiving and handling data subject requests

Critical
High
Normal
Low

Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.

We have planned procedures for handling data subject requests, which may include e.g.:

  • the ways in which the data subject may make a request for information
  • methods to verify the identity of the sender
  • the persons to whom requests for information are forwarded in relation to each register
15. Right of access by the data subject
GDPR
16. Right to rectification
GDPR
18. Right to restriction of processing
GDPR
19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
GDPR
21. Right to object
GDPR

Communication methods for refusing to implement data protection requests

Critical
High
Normal
Low

The organization has defined clear procedures that it follows in informing data subjects when refusing to implement data protection requests (e.g. the right to access or correct data). In these situations, the reasons on which the request was refused must be clearly communicated to the registered.

No items found.

Clear communication about the effects of consent

Critical
High
Normal
Low

The organization has defined the ways in which the data subject's understanding of the effects of his consent is ensured.

At least the following points of view are clearly communicated to the data subject:

  • What are the effects of his consent?
  • What are the effects of refusing consent or its subsequent withdrawal?
No items found.

Ability to provide the data subject with personal data ready for transfer

Critical
High
Normal
Low

The data subject shall have the right to obtain the personal data provided to the controller in a structured, commonly used and machine-readable form and, if he so wishes, to transfer such data to another controller. This can mean, for example, a way to download data added to a web service at a time in a general format (eg XLS, XML, JSON).

The right applies when the following conditions are met:

  • personal data is processed automatically
  • the personal data concern the data subject and are provided by her
  • the processing of personal data is based on consent or agreement
  • when the transfer of data does not adversely affect the rights and freedoms of third parties

The right does not cover data that have been generated by the controller himself on the basis of data provided by the data subject (e.g. health assessments) or that have been compiled from the analysis of data generated from the data subject's monitoring (such as profiling).

Our organization is aware of situations where the data subject has the right to transfer their data. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the transfer of data
  • the means by which the identity of the sender of the request for information is verified
  • the forms in which the information is provided to the data subject
  • ways in which the data subject is informed
20. Right to data portability
GDPR
A.7.3.8: Providing copy of PII processed
ISO 27701

Testing the clarity of privacy communications

Critical
High
Normal
Low

Privacy communications should be concise, easy to understand and easily accessible. To develop privacy communications, we test our communications for different uses by providing a snapshot of the privacy communications to a test group selected from among data subjects, and modifying the communications based on their feedback.

12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR

Ensuring the timeliness of privacy communication

Critical
High
Normal
Low

The purposes of the processing of personal data will change as the business develops. Privacy communications should stay up-to-date and reflect the actual state of processing.

We regularly make sure that all processing purposes are mentioned in communications (e.g. privacy statements), that the processing is accurately described, and that communications are provided to data subjects within the required time limits.

12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
18.2.2: Compliance with security policies and standards
ISO 27001
18.1.4: Privacy and protection of personally identifiable information
A.7.3.2: Determining information for PII principals
ISO 27701