Content library
SOC 2 (Systems and Organization Controls)
P4.3: Secure disposal of personal information

How to fill the requirement

SOC 2 (Systems and Organization Controls)

P4.3: Secure disposal of personal information

Task name
Priority
Status
Theme
Policy
Other requirements
Archiving and destruction processes for data sets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Management of data sets
requirements

Task is fulfilling also these other security requirements

PR.IP-6: Data destruction
NIST
A.7.4.5: PII de-identification and deletion at the end of processing
ISO 27701
A.7.4.8: Disposal
ISO 27701
8.10: Information deletion
ISO27k1 Full
P4.3: Secure disposal of personal information
SOC 2
1. Task description

Organization must document the retention periods for data sets and their possible archiving process (including archiving method, location or destruction). At the end of the retention period, the data must be archived or destroyed without delay in a secure manner.

When destroying data contained in data systems, the following points should be taken into account:

  • suitable method of destruction (e.g. overwriting, cryptographic erasure ) is chosen taking into account the functional and statutory requirements
  • the need to preserve evidence of data destruction is discussed
  • when using third parties for data destruction, the requirement of evidence and the inclusion of destruction requirements in supplier contracts are discussed

The process of archiving or destroying data is defined in connection with the documentation, and the owner of the data is responsible for its implementation.

Data erasure processes and the "right to be forgotten"
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Informing and data subject requests
requirements

Task is fulfilling also these other security requirements

17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.3.6: Access, correction and/or erasure
ISO 27701
A.8.2.3: Marketing and advertising use
ISO 27701
TSU-19.4: Rekisteröidyn oikeudet - Tietojen oikaiseminen, poistaminen, siirtäminen, käsittelyn rajoittaminen ja vastustaminen
Julkri
P4.3: Secure disposal of personal information
SOC 2
1. Task description

In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:

  • the processing is based on consent (and there is no other reason for processing) and the data subject withdraws her consent
  • the data subject objects to the processing of his or her personal data for the purposes of direct marketing or otherwise exercises his or her right of objection and there is no valid reason for such processing
  • personal data have been collected in connection with the provision of information society services

We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:

  • the ways in which the data subject may request the deletion of data
  • the means by which the identity of the sender of the request for information is verified
  • persons assisting the contact person of the databank in processing the request
  • the means by which data are securely and permanently deleted and the data subject is informed
No items found.