last sync: 2024-Jun-24 18:15:26 UTC

Respond to rectification requests | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Respond to rectification requests
Id 27ab3ac0-910d-724d-0afa-1a2a01e996c0
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0442 - Respond to rectification requests
Additional metadata Name/Id: CMA_0442 / CMA_0442
Category: Operational
Title: Respond to rectification requests
Ownership: Customer
Description: Microsoft recommends that your organization develop processes and procedures to respond to data subject requests for rectification of personal data, such as editing, redacting, or removing personal data from a document or other data file. If a data subject has asked your organization to rectify the personal data that resides in your organization's data stored in Azure, it is recommended that your organization determine whether to honor the request based on relevant artifacts. Data rectification can include editing, redacting, or removing personal data from a document or other data file. The most expedient way to fulfill the request may be to ask the data/document owner to use the appropriate Azure application to make the requested change. An alternative is to have an IT admin in your organization make the change. We recommend that your organization consider the following while addressing the rectification request: - Address the request within the applicable regulation timeline - Inform the data subject of any extensions to the timeline, in accordance with the applicable regulation - Establish a process for disseminating corrections or amendments of the personal data to other authorized users of the data, such as external information-sharing partners and, where feasible and appropriate, notify affected individuals that their information has been corrected or amended - Ensure that the rectification to personal data does not obliterate/remove the original personal information - Provide the data subject with a written notice of refusal and reasons of refusal, within the appropriate time frame - Allow the data subject to refute the refusal - Attach a note or a statement of correction to the data that was expected to be rectified if the data cannot be corrected or rectified. Some scenarios in which your organization may choose to deny a data rectification request, as per applicable regulations, include: - If fulfilling the request would constitute in the violation of a court order - If the individual's identity cannot be established - If fulfilling the request would lead to disclosing the identity of other data subjects - If the request is not within the data subject's rights - If fulfilling the request is not reasonably practicable in the given circumstances. Mexico's Federal Data Protection Law requires organizations who are data controllers to inform data subjects within 20 days from the date of receiving the request for modification of data. Argentina Personal Data Protection Act requires organizations (or person responsible for or the user of the data bank) who are data controllers to inform data subjects within 5 days from the date of receiving the request for rectification or modification or suppression of data. Korea- Credit Information Use And Protection Act requires organizations to stop processing of personal data immediately when the data subject requests for correction of his or her data or makes an inquiry on data accuracy.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 1 compliance controls are associated with this Policy definition 'Respond to rectification requests' (27ab3ac0-910d-724d-0afa-1a2a01e996c0)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
SOC_2 P5.2 SOC_2_P5.2 SOC 2 Type 2 P5.2 Additional Criteria For Privacy Personal information correction Shared The customer is responsible for implementing this recommendation. • Communicates Denial of Access Requests — Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation. • Permits Data Subjects to Update or Correct Personal Information — Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objectives related to privacy. • Communicates Denial of Correction Requests — Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal. 1
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 27ab3ac0-910d-724d-0afa-1a2a01e996c0
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC