1902.06d1Organizational.2-06.d 06.01 Compliance with Legal Requirements
When required, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation, or otherwise disclosed to parties external to the organization.
The customer is responsible for implementing this recommendation.
• Communicates to Data Subjects — Notice is provided to data subjects regarding the
— Purpose for collecting personal information
— Choice and consent
— Types of personal information collected
— Use, retention, and disposal
— Disclosure to third parties
— Security for privacy
— Quality, including data subjects’ responsibilities for quality
— Monitoring and enforcement
• Provides Notice to Data Subjects — Notice is provided to data subjects (1) at or before
the time personal information is collected or as soon as practical thereafter, (2)
at or before the entity changes its privacy notice or as soon as practical thereafter,
or (3) before personal information is used for new purposes not previously identified.
• Covers Entities and Activities in Notice — An objective description of the entities
and activities covered is included in the entity’s privacy notice.
• Uses Clear and Conspicuous Language — The entity’s privacy notice is conspicuous
and uses clear language.