AzPolicyAdvertizer

last sync: 2023-Sep-26 18:00:51 UTC

Azure Policy definition

Respond to rectification requests | Regulatory Compliance - Operational

Source

Azure Portal

Display name

Respond to rectification requests

27ab3ac0-910d-724d-0afa-1a2a01e996c0

Version

1.1.0
details on versioning

Category

Regulatory Compliance
Microsoft docs

Description

CMA_0442 - Respond to rectification requests

Additional metadata

Name/Id: CMA_0442 / CMA_0442
Category: Operational
Title: Respond to rectification requests
Ownership: Customer
Description: Microsoft recommends that your organization develop processes and procedures to respond to data subject requests for rectification of personal data, such as editing, redacting, or removing personal data from a document or other data file. If a data subject has asked your organization to rectify the personal data that resides in your organization's data stored in Azure, it is recommended that your organization determine whether to honor the request based on relevant artifacts. Data rectification can include editing, redacting, or removing personal data from a document or other data file. The most expedient way to fulfill the request may be to ask the data/document owner to use the appropriate Azure application to make the requested change. An alternative is to have an IT admin in your organization make the change. We recommend that your organization consider the following while addressing the rectification request: - Address the request within the applicable regulation timeline - Inform the data subject of any extensions to the timeline, in accordance with the applicable regulation - Establish a process for disseminating corrections or amendments of the personal data to other authorized users of the data, such as external information-sharing partners and, where feasible and appropriate, notify affected individuals that their information has been corrected or amended - Ensure that the rectification to personal data does not obliterate/remove the original personal information - Provide the data subject with a written notice of refusal and reasons of refusal, within the appropriate time frame - Allow the data subject to refute the refusal - Attach a note or a statement of correction to the data that was expected to be rectified if the data cannot be corrected or rectified. Some scenarios in which your organization may choose to deny a data rectification request, as per applicable regulations, include: - If fulfilling the request would constitute in the violation of a court order - If the individual's identity cannot be established - If fulfilling the request would lead to disclosing the identity of other data subjects - If the request is not within the data subject's rights - If fulfilling the request is not reasonably practicable in the given circumstances. Mexico's Federal Data Protection Law requires organizations who are data controllers to inform data subjects within 20 days from the date of receiving the request for modification of data. Argentina Personal Data Protection Act requires organizations (or person responsible for or the user of the data bank) who are data controllers to inform data subjects within 5 days from the date of receiving the request for rectification or modification or suppression of data. Korea- Credit Information Use And Protection Act requires organizations to stop processing of personal data immediately when the data subject requests for correction of his or her data or makes an inquiry on data accuracy.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 1 compliance controls are associated with this Policy definition 'Respond to rectification requests' (27ab3ac0-910d-724d-0afa-1a2a01e996c0)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
SOC_2	P5.2	SOC_2_P5.2	SOC 2 Type 2 P5.2	Additional Criteria For Privacy	Personal information correction	Shared	The customer is responsible for implementing this recommendation.	• Communicates Denial of Access Requests — Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. • Permits Data Subjects to Update or Correct Personal Information — Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objectives related to privacy. • Communicates Denial of Correction Requests — Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal.		1

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
SOC 2 Type 2	4054785f-702b-4a98-9215-009cbd58b141	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	27ab3ac0-910d-724d-0afa-1a2a01e996c0

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01