last sync: 2024-May-24 18:03:04 UTC

Obtain consent prior to collection or processing of personal data | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Obtain consent prior to collection or processing of personal data
Id 069101ac-4578-31da-0cd4-ff083edd3eb4
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0385 - Obtain consent prior to collection or processing of personal data
Additional metadata Name/Id: CMA_0385 / CMA_0385
Category: Operational
Title: Obtain consent prior to collection or processing of personal data
Ownership: Customer
Description: Microsoft recommends that your organization understand the legal requirements for collecting, processing, and disclosing personal data, and determining whether consent must first be obtained before personal data can be collected, processed, and disclosed. In cases where consent is required, your organization is recommended to obtain and record such consent prior to collecting, transferring, processing, and disclosing personal data. It is recommended that your organization ensure consent is freely given by the data subject in written or electronic forms and submit proof of receipt after receiving consent. Microsoft recommends your organization retain consent records to use in Legal proceedings, as necessary. It is recommended that your organization do not collect, process, or disclose personal data if the data subject does not give consent prior to or at the time of such processing unless such collection, processing, and disclosure is necessary for achieving the purposes of legal obligations, research studies, contractual obligations, protection of credit, protection of life or safety, or legitimate interests pursued by the controller or a third party. Microsoft recommends that your organization capture and adhere to any withdrawal of consent. In the case of the withdrawal of consent affecting data subjects in any matter, your organization is recommended to inform such effects of the withdrawal to the data subject. While obtaining consent, your organization is recommended to inform the data subject of the purposes of the collection, use, and disclosure of personal data. It is recommended that the request for consent be presented in an easily accessible form, using clear and plain language and not deceive or mislead the data subject to misunderstand such purposes. It is recommended to take prior consent in case of transferring data to external entity or acquiring personal data by other organization / third party during the period of merger and acquisition. Your organization is recommended to inform the data subject prior to or at the time of collection the following details: - The purposes of the collection including the lawful basis for the collection without the consent given by the data subject - Whether the provision of personal data is a statutory or contractual requirement - The period of processing and retaining the personal data - The recipients or categories of recipients to which the personal data will be disclosed - Contact details for your organization's Data Privacy Officer - The rights of the data subject If your organization has collected personal data indirectly from other sources than the data subject, your organization is recommended to inform the data subject within 30 days of the date of collection and obtain consent. If your organization receives personal data from third-party disclosure, your organization is recommended to not use or disclose the personal data for other purposes than the purposes informed by the controller to the data subject. In some cases, consent may be given on behalf of the individual by another individual. Determinations of who would classify as an appropriate substitute decision-maker varies by case and regulation. Your organization should also determine when obtaining consent from the data subject is not required. Various regulations do not require consent when processing of personal data is for academic and other purposes. Microsoft also recommends that your organization retain a copy or evidence of the consent given by the data subject. The Canada Personal Health Information Protection Act requires health information custodians to provide, to an individual determined incapable of consenting, information about the consequences of the determination of incapacity, including the information, if any, that is prescribed. The General Data Protection Regulation (GDPR) requires organizations to assess whether consent is freely given before collecting, processing, and disclosing personal data. GDPR also requires organizations to provide the following information to the data subject at the time of collecting personal data: - The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period - The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability - The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal - The right to lodge a complaint with a supervisory authority - Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data - The existence of automated decision-making, including profiling The Belgium's Act on the Protection of Natural Persons regarding the processing of personal data require the controller who has not directly collected the personal data from the data subject to conclude an agreement with the original controller who collected the data directly. The agreement shall contain the contact details of the original controller and of the controller of the further processing along with any reasons for refusal to exercise the rights of data subject. Learn more: https://docs.microsoft.com/compliance/regulatory/gdpr-dsr-azure
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 25 compliance controls are associated with this Policy definition 'Obtain consent prior to collection or processing of personal data' (069101ac-4578-31da-0cd4-ff083edd3eb4)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 1201.06e1Organizational.2-06.e hipaa-1201.06e1Organizational.2-06.e 1201.06e1Organizational.2-06.e 12 Audit Logging & Monitoring 1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements Shared n/a The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. 12
hipaa 1713.03c1Organizational.3-03.c hipaa-1713.03c1Organizational.3-03.c 1713.03c1Organizational.3-03.c 17 Risk Management 1713.03c1Organizational.3-03.c 03.01 Risk Management Program Shared n/a The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures. 9
hipaa 1902.06d1Organizational.2-06.d hipaa-1902.06d1Organizational.2-06.d 1902.06d1Organizational.2-06.d 19 Data Protection & Privacy 1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization. 11
hipaa 1911.06d1Organizational.13-06.d hipaa-1911.06d1Organizational.13-06.d 1911.06d1Organizational.13-06.d 19 Data Protection & Privacy 1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements Shared n/a Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information. 5
hipaa 19242.06d1Organizational.14-06.d hipaa-19242.06d1Organizational.14-06.d 19242.06d1Organizational.14-06.d 19 Data Protection & Privacy 19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements Shared n/a Covered information storage is kept to a minimum. 4
hipaa 19243.06d1Organizational.15-06.d hipaa-19243.06d1Organizational.15-06.d 19243.06d1Organizational.15-06.d 19 Data Protection & Privacy 19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization specifies where covered information can be stored. 9
hipaa 19245.06d2Organizational.2-06.d hipaa-19245.06d2Organizational.2-06.d 19245.06d2Organizational.2-06.d 19 Data Protection & Privacy 19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements Shared n/a The organization has implemented technical means to ensure covered information is stored in organization-specified locations. 7
ISO27001-2013 A.13.2.2 ISO27001-2013_A.13.2.2 ISO 27001:2013 A.13.2.2 Communications Security Agreements on information transfer Shared n/a Agreements shall address the secure transfer of business information between the organization and external parties. link 11
ISO27001-2013 A.7.1.2 ISO27001-2013_A.7.1.2 ISO 27001:2013 A.7.1.2 Human Resources Security Terms and conditions of employment Shared n/a The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. link 24
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
mp.per.2 Duties and obligations mp.per.2 Duties and obligations 404 not found n/a n/a 40
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
op.ext.1 Contracting and service level agreements op.ext.1 Contracting and service level agreements 404 not found n/a n/a 35
op.mon.1 Intrusion detection op.mon.1 Intrusion detection 404 not found n/a n/a 53
org.3 Security procedures org.3 Security procedures 404 not found n/a n/a 83
PCI_DSS_v4.0 3.2.1 PCI_DSS_v4.0_3.2.1 PCI DSS v4.0 3.2.1 Requirement 03: Protect Stored Account Data Storage of account data is kept to a minimum Shared n/a Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. link 8
PCI_DSS_v4.0 3.3.1 PCI_DSS_v4.0_3.3.1 PCI DSS v4.0 3.3.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.1 PCI_DSS_v4.0_3.3.1.1 PCI DSS v4.0 3.3.1.1 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The full contents of any track are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.1.2 PCI_DSS_v4.0_3.3.1.2 PCI DSS v4.0 3.3.1.2 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The card verification code is not retained upon completion of the authorization process. link 5
PCI_DSS_v4.0 3.3.1.3 PCI_DSS_v4.0_3.3.1.3 PCI DSS v4.0 3.3.1.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process. link 8
PCI_DSS_v4.0 3.3.3 PCI_DSS_v4.0_3.3.3 PCI DSS v4.0 3.3.3 Requirement 03: Protect Stored Account Data Sensitive authentication data (SAD) is not stored after authorization Shared n/a Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. link 13
SOC_2 P2.1 SOC_2_P2.1 SOC 2 Type 2 P2.1 Additional Criteria For Privacy Privacy consent Shared The customer is responsible for implementing this recommendation. • Communicates to Data Subjects — Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise. • Communicates Consequences of Denying or Withdrawing Consent — When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice. • Obtains Implicit or Explicit Consent — Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon there-after. The individual’s preferences expressed in his or her consent are confirmed and implemented. • Documents and Obtains Consent for New Purposes and Uses — If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose. • Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. • Obtains Consent for Data Transfers — Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device. 4
SOC_2 P3.1 SOC_2_P3.1 SOC 2 Type 2 P3.1 Additional Criteria For Privacy Consistent personal information collection Shared The customer is responsible for implementing this recommendation. • Limits the Collection of Personal Information — The collection of personal information is limited to that necessary to meet the entity’s objectives. • Collects Information by Fair and Lawful Means — Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information. • Collects Information From Reliable Sources — Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully. • Informs Data Subjects When Additional Information Is Acquired — Data subjects are informed if the entity develops or acquires additional information about them for its use. 4
SOC_2 P3.2 SOC_2_P3.2 SOC 2 Type 2 P3.2 Additional Criteria For Privacy Personal information explicit consent Shared The customer is responsible for implementing this recommendation. • Obtains Explicit Consent for Sensitive Information — Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise. • Documents Explicit Consent to Retain Information — Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy. 2
SOC_2 P4.1 SOC_2_P4.1 SOC 2 Type 2 P4.1 Additional Criteria For Privacy Personal information use Shared The customer is responsible for implementing this recommendation. • Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise. 5
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 069101ac-4578-31da-0cd4-ff083edd3eb4
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC