Name/Id: CMA_0442 / CMA_0442 Category: Operational Title: Respond to rectification requests Ownership: Customer Description: Microsoft recommends that your organization develop processes and procedures to respond to data subject requests for rectification of personal data, such as editing, redacting, or removing personal data from a document or other data file. If a data subject has asked your organization to rectify the personal data that resides in your organization's data stored in Azure, it is recommended that your organization determine whether to honor the request based on relevant artifacts. Data rectification can include editing, redacting, or removing personal data from a document or other data file. The most expedient way to fulfill the request may be to ask the data/document owner to use the appropriate Azure application to make the requested change. An alternative is to have an IT admin in your organization make the change. We recommend that your organization consider the following while addressing the rectification request:
- Address the request within the applicable regulation timeline
- Inform the data subject of any extensions to the timeline, in accordance with the applicable regulation
- Establish a process for disseminating corrections or amendments of the personal data to other authorized users of the data, such as external information-sharing partners and, where feasible and appropriate, notify affected individuals that their information has been corrected or amended
- Ensure that the rectification to personal data does not obliterate/remove the original personal information
- Provide the data subject with a written notice of refusal and reasons of refusal, within the appropriate time frame
- Allow the data subject to refute the refusal
- Attach a note or a statement of correction to the data that was expected to be rectified if the data cannot be corrected or rectified.
Some scenarios in which your organization may choose to deny a data rectification request, as per applicable regulations, include:
- If fulfilling the request would constitute in the violation of a court order
- If the individual's identity cannot be established
- If fulfilling the request would lead to disclosing the identity of other data subjects
- If the request is not within the data subject's rights
- If fulfilling the request is not reasonably practicable in the given circumstances.
Mexico's Federal Data Protection Law requires organizations who are data controllers to inform data subjects within 20 days from the date of receiving the request for modification of data. Argentina Personal Data Protection Act requires organizations (or person responsible for or the user of the data bank) who are data controllers to inform data subjects within 5 days from the date of receiving the request for rectification or modification or suppression of data. Korea- Credit Information Use And Protection Act requires organizations to stop processing of personal data immediately when the data subject requests for correction of his or her data or makes an inquiry on data accuracy. Requirements: The customer is responsible for implementing this recommendation.
Default Manual Allowed Manual, Disabled
Rule resource types
IF (1) Microsoft.Resources/subscriptions
The following 1 compliance controls are associated with this Policy definition 'Respond to rectification requests' (27ab3ac0-910d-724d-0afa-1a2a01e996c0)
The customer is responsible for implementing this recommendation.
• Communicates Denial of Access Requests — Data subjects are informed, in writing,
of the reason a request for access to their personal information was denied, the
source of the entity’s legal right to deny such access, if applicable, and the individual’s
right, if any, to challenge such denial, as specifically permitted or required by
law or regulation.
• Permits Data Subjects to Update or Correct Personal Information — Data subjects
are able to update or correct personal information held by the entity. The entity
provides such updated or corrected information to third parties that were previously
provided with the data subject’s personal information consistent with the entity’s
objectives related to privacy.
• Communicates Denial of Correction Requests — Data subjects are informed, in
writing, about the reason a request for correction of personal information was denied
and how they may appeal.