Content library
Informing and data subject requests
Data erasure processes and the "right to be forgotten"

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Privacy notices -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
18
requirements

Examples of other requirements this task affects

12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
13. Information to be provided where personal data are collected from the data subject
GDPR
14. Information to be provided where personal data have not been obtained from the data subject
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST
See all related requirements and other information from tasks own page.
Go to >
Privacy notices -report publishing and maintenance
1. Task description

With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.

Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:

  • where the data were obtained
  • which categories of personal data are covered
Notification channel for the registered for reporting privacy problems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
1
requirements

Examples of other requirements this task affects

P8.1: Periodic monitoring of privacy compliance
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Notification channel for the registered for reporting privacy problems
1. Task description

The organization has created and communicated to registered users a process through which they can report questions, complaints or disputes related to data protection.

The organization has rules of procedure for handling, resolving and communicating issues that come to this channel. Valid issues that arise can be handled, for example, through the general non-conformity management process.

Rekisteröidyn käytettävissä olevien oikeuksien tunnistaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
2
requirements

Examples of other requirements this task affects

TSU-19.1: Rekisteröidyn oikeudet - Rekisteröidyn käytettävissä olevien oikeuksien tunnistaminen
Julkri
P5.1: Granting access to stored personal data
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Rekisteröidyn käytettävissä olevien oikeuksien tunnistaminen
1. Task description

Organisaatio on määritellyt tunnistamansa henkilötietojen käyttötarkoituksen oikeusperusteen huomioiden, mitkä rekisteröidyn oikeudet liittyvät kyseiseen käsittelyyn.

Rekisteröity ei voi käyttää kaikkia oikeuksiaan kaikissa tilanteissa. Se, mitä oikeuksia rekisteröity voi kulloinkin käyttää, riippuu siitä, millä perusteella kyseessä olevia henkilötietoja käsitellään. Organisaatio voi hyödyntää tietosuojaviranomaisten ohjeistuksia siitä, kuinka käsittelyperuste vaikuttaa käytettävissä oleviin oikeuksiin. Oikeuksiin voi olla lisäksi säädetty poikkeuksia organisaatiota koskevassa erityislainsäädännössä tai niiden toteuttamisesta mahdollista kieltäytyä vahvoin perustein yksittäistapauksissa.

Yhteisrekisterinpitäjänä toimiminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
2
requirements

Examples of other requirements this task affects

TSU-03: Yhteisrekisterinpitäjät
Julkri
58: Yhteisrekisterinpitäjyystilanteiden tunnistaminen
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Yhteisrekisterinpitäjänä toimiminen
1. Task description

Toimiessaan yhteisrekisterinpitäjänä organisaatio määrittelee läpinäkyvällä järjestelyllä muiden yhteisrekisterinpitäjien kanssa rekisterinpitäjien velvoitteiden noudattamisesta sekä rekisteröityjen informoinnista.

Organisaatio voi esimerkiksi tehdä sopimuksen eri yhteisrekisteripitäjien kanssa tai dokumentoida kirjallisesti yhteisrekisterinpitäjyyteen liittyvät menettelyt sekä julkaista ne verkossa ja asettaa saataville toimipisteissä.

Securely delivering a copy of data subject's personal data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
2
requirements

Examples of other requirements this task affects

A.7.3.8: Providing copy of PII processed
ISO 27701
TSU-19.3: Rekisteröidyn oikeudet - Oikeus saada pääsy tietoihin
Julkri
See all related requirements and other information from tasks own page.
Go to >
Securely delivering a copy of data subject's personal data
1. Task description

The organization must be able to provide the data subject with a copy of the personal data being processed at the data subject's request.

The organization must plan in advance a process by which a copy of the personal data can be delivered in a structured and commonly used format and securely to the data subject.

Informing third parties about relevant changes to personal data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
1
requirements

Examples of other requirements this task affects

A.7.3.7: PII controllers' obligations to inform third parties
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Informing third parties about relevant changes to personal data
1. Task description

The organization should have pre-planned procedures for situations where third parties need to be notified of changes, deletions and prohibitions regarding shared personal data.

These parties can be, for example, partners who process data or organizations to which personal data has been disclosed forward.</p>

Process for data subjects to rectify inaccurate personal data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
3
requirements

Examples of other requirements this task affects

A.7.3.6: Access, correction and/or erasure
ISO 27701
TSU-19.4: Rekisteröidyn oikeudet - Tietojen oikaiseminen, poistaminen, siirtäminen, käsittelyn rajoittaminen ja vastustaminen
Julkri
P5.2: Correction of personal information
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Process for data subjects to rectify inaccurate personal data
1. Task description

Registrants should be offered a mechanism by the organization to view and correct their personal data.

Process for data subjects to object processing
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
2
requirements

Examples of other requirements this task affects

A.7.3.5: Providing mechanism to object to PII processing
ISO 27701
TSU-19.4: Rekisteröidyn oikeudet - Tietojen oikaiseminen, poistaminen, siirtäminen, käsittelyn rajoittaminen ja vastustaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Process for data subjects to object processing
1. Task description

Data subjects should be offered a clear means by which they can object to the processing of personal data.

The implementation method for objecting to processing may vary, but it should be in line with the way of using the service offered (e.g. in online services, objecting to processing should also be possible online).

Process for data subjects to edit or cancel a consent
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
2
requirements

Examples of other requirements this task affects

A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701
P2.1: Communication of choices about personal information to data subjects
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Process for data subjects to edit or cancel a consent
1. Task description

When personal data is processed on the basis of the data subject's consent, the organization should provide data subjects with a clear process for editing or withdrawing their consent. Editing may also mean limiting the processing of personal data, which may affect the controller's right to delete the data in question.

The process should include recording requests for editing in a way similar to recording consent. Changes to consent must be communicated to all relevant data systems, authorized users and third parties. The process should also define the response time in which the requests should be processed.

N.b.! Different jurisdictions may have restrictions on how and when the data subject can modify their consent.

Listing of non-recurring data disclosures and contractual commitment to informing them to customers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
7
requirements

Examples of other requirements this task affects

A.6: Use, retention and disclosure limitation
ISO 27018
A.6.1: PII disclosure notification
ISO 27018
A.6.2: Recording of PII disclosures
ISO 27018
A.8.5.1: Basis for PII transfer between jurisdictions
ISO 27701
A.8.5.4: Notification of PII disclosure requests
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Listing of non-recurring data disclosures and contractual commitment to informing them to customers
1. Task description

The organization must have clear procedures for situations where the organization is required by law to disclose personal information to the authorities. In addition, a list must be kept of these individual data disclosures.

The organization shall pay particular attention to the communication of these situations and the timing of the communication to interested customers, unless this is illegal due to, for example, an ongoing investigation or other legal matter.

These practices must be describeable to interested customers upon request. Procedures and reporting obligations must be described, e.g. contracts for offered digital services.

Informing the controller of the processors of personal data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
6
requirements

Examples of other requirements this task affects

A.8: Openness, transparency and notice
ISO 27018
A.8.1: Disclosure of sub-contracted PII processing
ISO 27018
A.8.5.6: Disclosure of subcontractors used to process PII
ISO 27701
A.8.5.7: Engagement of subcontractor to process PII
ISO 27701
A.8.5.8: Change of subcontractor to process PII
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Informing the controller of the processors of personal data
1. Task description

The organization must define procedures for informing the controller of all processors of personal data before processing begins.

The notification shall include the data processed by the processors and the purposes for which they process the data.

Documentation of personal data sources for data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
5
requirements

Examples of other requirements this task affects

14. Information to be provided where personal data have not been obtained from the data subject
GDPR
A.7.3.3: Providing information to PII principals
ISO 27701
TSU-19.2: Rekisteröidyn oikeudet - Läpinäkyvä informointi
Julkri
P3.1: Collection of personal information is consistent with objects related to privacy
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Documentation of personal data sources for data systems
1. Task description

Understanding data sources is important for understanding data flow. In addition, data protection communications shall be able to communicate the sources of personal data in cases where the data have not been collected directly from the data subject himself.

Data erasure processes and the "right to be forgotten"
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
7
requirements

Examples of other requirements this task affects

17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.3.6: Access, correction and/or erasure
ISO 27701
A.8.2.3: Marketing and advertising use
ISO 27701
TSU-19.4: Rekisteröidyn oikeudet - Tietojen oikaiseminen, poistaminen, siirtäminen, käsittelyn rajoittaminen ja vastustaminen
Julkri
P4.3: Secure disposal of personal information
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Data erasure processes and the "right to be forgotten"
1. Task description

In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:

  • the processing is based on consent (and there is no other reason for processing) and the data subject withdraws her consent
  • the data subject objects to the processing of his or her personal data for the purposes of direct marketing or otherwise exercises his or her right of objection and there is no valid reason for such processing
  • personal data have been collected in connection with the provision of information society services

We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the deletion of data
  • the means by which the identity of the sender of the request for information is verified
  • persons assisting the contact person of the databank in processing the request
  • the means by which data are securely and permanently deleted and the data subject is informed
Process for receiving and handling data subject requests
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
24
requirements

Examples of other requirements this task affects

15. Right of access by the data subject
GDPR
16. Right to rectification
GDPR
18. Right to restriction of processing
GDPR
19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
GDPR
21. Right to object
GDPR
See all related requirements and other information from tasks own page.
Go to >
Process for receiving and handling data subject requests
1. Task description

Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.

We have planned procedures for handling data subject requests, which may include e.g.:

  • the ways in which the data subject may make a request for information
  • methods to verify the identity of the sender
  • the persons to whom requests for information are forwarded in relation to each register
Communication methods for refusing to implement data protection requests
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
2
requirements

Examples of other requirements this task affects

P5.1: Granting access to stored personal data
SOC 2
P5.2: Correction of personal information
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Communication methods for refusing to implement data protection requests
1. Task description

The organization has defined clear procedures that it follows in informing data subjects when refusing to implement data protection requests (e.g. the right to access or correct data). In these situations, the reasons on which the request was refused must be clearly communicated to the registered.

Clear communication about the effects of consent
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
1
requirements

Examples of other requirements this task affects

P2.1: Communication of choices about personal information to data subjects
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Clear communication about the effects of consent
1. Task description

The organization has defined the ways in which the data subject's understanding of the effects of his consent is ensured.

At least the following points of view are clearly communicated to the data subject:

  • What are the effects of his consent?
  • What are the effects of refusing consent or its subsequent withdrawal?
Ability to provide the data subject with personal data ready for transfer
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
5
requirements

Examples of other requirements this task affects

20. Right to data portability
GDPR
A.7.3.8: Providing copy of PII processed
ISO 27701
TSU-19.4: Rekisteröidyn oikeudet - Tietojen oikaiseminen, poistaminen, siirtäminen, käsittelyn rajoittaminen ja vastustaminen
Julkri
9.6.1: Management of data subject requests
TISAX
See all related requirements and other information from tasks own page.
Go to >
Ability to provide the data subject with personal data ready for transfer
1. Task description

The data subject shall have the right to obtain the personal data provided to the controller in a structured, commonly used and machine-readable form and, if he so wishes, to transfer such data to another controller. This can mean, for example, a way to download data added to a web service at a time in a general format (eg XLS, XML, JSON).

The right applies when the following conditions are met:

  • personal data is processed automatically
  • the personal data concern the data subject and are provided by her
  • the processing of personal data is based on consent or agreement
  • when the transfer of data does not adversely affect the rights and freedoms of third parties

The right does not cover data that have been generated by the controller himself on the basis of data provided by the data subject (e.g. health assessments) or that have been compiled from the analysis of data generated from the data subject's monitoring (such as profiling).

Our organization is aware of situations where the data subject has the right to transfer their data. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the transfer of data
  • the means by which the identity of the sender of the request for information is verified
  • the forms in which the information is provided to the data subject
  • ways in which the data subject is informed
Testing the clarity of privacy communications
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
4
requirements

Examples of other requirements this task affects

12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
TSU-19.2: Rekisteröidyn oikeudet - Läpinäkyvä informointi
Julkri
64: Informointikäytäntöjen määrittäminen
Digiturvan kokonaiskuvapalvelu
P1.1: Providing notice to data subjects about privacy practices
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Testing the clarity of privacy communications
1. Task description

Privacy communications should be concise, easy to understand and easily accessible. To develop privacy communications, we test our communications for different uses by providing a snapshot of the privacy communications to a test group selected from among data subjects, and modifying the communications based on their feedback.

Ensuring the timeliness of privacy communication
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
8
requirements

Examples of other requirements this task affects

12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
18.2.2: Compliance with security policies and standards
ISO 27001
A.7.3.2: Determining information for PII principals
ISO 27701
TSU-19.2: Rekisteröidyn oikeudet - Läpinäkyvä informointi
Julkri
See all related requirements and other information from tasks own page.
Go to >
Ensuring the timeliness of privacy communication
1. Task description

The purposes of the processing of personal data will change as the business develops. Privacy communications should stay up-to-date and reflect the actual state of processing.

We regularly make sure that all processing purposes are mentioned in communications (e.g. privacy statements), that the processing is accurately described, and that communications are provided to data subjects within the required time limits.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.