last sync: 2024-Oct-11 17:51:27 UTC

Implement methods for consumer requests | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement methods for consumer requests
Id b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0319 - Implement methods for consumer requests
Additional metadata Name/Id: CMA_0319 / CMA_0319
Category: Operational
Title: Implement methods for consumer requests
Ownership: Customer
Description: Microsoft recommends that your organization make available two or more designated methods for consumers to exercise the right to request access, disclosure, use of (including selling), correction and/or deletion of personal information collected by your organization. At a minimum, it is recommended that this include a toll-free telephone number, and if the business maintains a website, a discoverable link that is accessible by consumers. We recommend that at least one method be in a format in which a person with disabilities can submit requests and interpret the response. It is also recommended that your organization make feasible arrangements and provide a copy of personal data records if the data subject or authorized delegate is under special circumstances that prevent them from exercising their rights to inspect and review their data. Microsoft recommends that your organization determine any fees associated with providing information to data subjects. Various data protection regulations allow data subjects to obtain information free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, your organization may either charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request. The New Zealand Health Information Privacy Code prohibits private sector health agencies from requiring the payment of any charges for information privacy requests concerning health information. Non-private sector agencies may require a reasonable charge when that agency has already made health information available to that individual in response to a request, and the individual requests the same or substantially the same health information within a period of 12 months, or for providing a copy of an x-ray, a video recording, an MRI scan photograph, a PET scan photograph, or a CAT scan photograph. If the charge is likely to exceed $30, the agency must provide the individual with an estimate of the charge before dealing with the request.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 3 compliance controls are associated with this Policy definition 'Implement methods for consumer requests' (b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
ISO27001-2013 A.12.4.1 ISO27001-2013_A.12.4.1 ISO 27001:2013 A.12.4.1 Operations Security Event Logging Shared n/a Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. link 53
op.exp.8 Recording of the activity op.exp.8 Recording of the activity 404 not found n/a n/a 67
SOC_2 P5.1 SOC_2_P5.1 SOC 2 Type 2 P5.1 Additional Criteria For Privacy Personal information access Shared The customer is responsible for implementing this recommendation. • Authenticates Data Subjects’ Identity — The identity of data subjects who request access to their personal information is authenticated before they are given access to that information. • Permits Data Subjects Access to Their Personal Information — Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information. • Provides Understandable Personal Information Within Reasonable Time — Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any. • Informs Data Subjects If Access Is Denied — When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation. 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add b8ec9ebb-5b7f-8426-17c1-2bc3fcd54c6e
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC