AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Document the legal basis for processing personal information | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Document the legal basis for processing personal information

79c75b38-334b-1a69-65e0-a9d929a42f75

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0206 - Document the legal basis for processing personal information

Additional metadata

Name/Id: CMA_0206 / CMA_0206
Category: Documentation
Title: Document the legal basis for processing personal information
Ownership: Customer
Description: Microsoft recommends that your organization determine and document the legal basis for processing personal data. Various data privacy regulations require organizations to be clear and transparent about which lawful basis is being used for processing personal data prior to or at the time of collection such as data subject consent, legal obligations, research studies, contractual obligations, protection of credit, protection of life or safety, or legitimate interests pursued by the controller or a third party. Processing of personal data can be irregular when it does not comply with regulatory requirements or when it does not provide the security expected by the data subject considering the following circumstances: the way the data was collected, the result and the risks that one can reasonably expect of the data processing, and techniques for processing personal data available at the time it was done. Microsoft also recommends that your organization do not collect, use, or disclose personal data for other purposes different from what has been informed unless the data subject is already informed of the new purposes and his or her consent has been given prior to such collection, use, or disclosure. If your organization intends to further process the personal data for a purpose other than that for which the personal data were collected, your organization may provide the data subject prior to that further processing with information on that other purpose and with any relevant further information. Additionally, consider establishing procedures for processing sensitive information such as individual's Social Security number to govern: - Publicly posting or display - Printing - Transmittal over internet - Use to access a web site It is also recommended to not collect personal information of other individuals related or not related through an end-user unless there is a legitimate reason such as national interest or requested by regulatory authority. The General Data Protection Regulation (GDPR) prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. NIST 800-53 recommends prohibiting the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. Malta's Data Protection Act requires to process an identity document only when such processing is clearly justified by the importance of a secure identification, or any other valid reason provided by law.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 14 compliance controls are associated with this Policy definition 'Document the legal basis for processing personal information' (79c75b38-334b-1a69-65e0-a9d929a42f75)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
hipaa	1713.03c1Organizational.3-03.c	hipaa-1713.03c1Organizational.3-03.c	1713.03c1Organizational.3-03.c	17 Risk Management	1713.03c1Organizational.3-03.c 03.01 Risk Management Program	Shared	n/a	The organization mitigates any harmful effect that is known to the organization of a use or disclosure of sensitive information (e.g., PII) by the organization or its business partners, vendors, contractors, or similar third-parties in violation of its policies and procedures.		9
hipaa	1911.06d1Organizational.13-06.d	hipaa-1911.06d1Organizational.13-06.d	1911.06d1Organizational.13-06.d	19 Data Protection & Privacy	1911.06d1Organizational.13-06.d 06.01 Compliance with Legal Requirements	Shared	n/a	Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information.		5
hipaa	19242.06d1Organizational.14-06.d	hipaa-19242.06d1Organizational.14-06.d	19242.06d1Organizational.14-06.d	19 Data Protection & Privacy	19242.06d1Organizational.14-06.d 06.01 Compliance with Legal Requirements	Shared	n/a	Covered information storage is kept to a minimum.		4
hipaa	19243.06d1Organizational.15-06.d	hipaa-19243.06d1Organizational.15-06.d	19243.06d1Organizational.15-06.d	19 Data Protection & Privacy	19243.06d1Organizational.15-06.d 06.01 Compliance with Legal Requirements	Shared	n/a	The organization specifies where covered information can be stored.		9
hipaa	19245.06d2Organizational.2-06.d	hipaa-19245.06d2Organizational.2-06.d	19245.06d2Organizational.2-06.d	19 Data Protection & Privacy	19245.06d2Organizational.2-06.d 06.01 Compliance with Legal Requirements	Shared	n/a	The organization has implemented technical means to ensure covered information is stored in organization-specified locations.		7
ISO27001-2013	A.12.4.1	ISO27001-2013_A.12.4.1	ISO 27001:2013 A.12.4.1	Operations Security	Event Logging	Shared	n/a	Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.	link	53
	op.exp.8 Recording of the activity	op.exp.8 Recording of the activity	404 not found				n/a	n/a		67
PCI_DSS_v4.0	3.2.1	PCI_DSS_v4.0_3.2.1	PCI DSS v4.0 3.2.1	Requirement 03: Protect Stored Account Data	Storage of account data is kept to a minimum	Shared	n/a	Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: • Coverage for all locations of stored account data. • Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. • Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. • Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. • Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. • A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.	link	8
PCI_DSS_v4.0	3.3.1	PCI_DSS_v4.0_3.3.1	PCI DSS v4.0 3.3.1	Requirement 03: Protect Stored Account Data	Sensitive authentication data (SAD) is not stored after authorization	Shared	n/a	SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.	link	8
PCI_DSS_v4.0	3.3.1.1	PCI_DSS_v4.0_3.3.1.1	PCI DSS v4.0 3.3.1.1	Requirement 03: Protect Stored Account Data	Sensitive authentication data (SAD) is not stored after authorization	Shared	n/a	The full contents of any track are not retained upon completion of the authorization process.	link	8
PCI_DSS_v4.0	3.3.1.2	PCI_DSS_v4.0_3.3.1.2	PCI DSS v4.0 3.3.1.2	Requirement 03: Protect Stored Account Data	Sensitive authentication data (SAD) is not stored after authorization	Shared	n/a	The card verification code is not retained upon completion of the authorization process.	link	5
PCI_DSS_v4.0	3.3.1.3	PCI_DSS_v4.0_3.3.1.3	PCI DSS v4.0 3.3.1.3	Requirement 03: Protect Stored Account Data	Sensitive authentication data (SAD) is not stored after authorization	Shared	n/a	The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process.	link	8
PCI_DSS_v4.0	3.3.3	PCI_DSS_v4.0_3.3.3	PCI DSS v4.0 3.3.3	Requirement 03: Protect Stored Account Data	Sensitive authentication data (SAD) is not stored after authorization	Shared	n/a	Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: • Limited to that which is needed for a legitimate issuing business need and is secured. • Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.	link	13
SOC_2	P4.1	SOC_2_P4.1	SOC 2 Type 2 P4.1	Additional Criteria For Privacy	Personal information use	Shared	The customer is responsible for implementing this recommendation.	• Uses Personal Information for Intended Purposes — Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained, unless a law or regulation specifically requires otherwise.		5

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
ISO 27001:2013	89c6cddc-1c73-4ac1-b19c-54d1a15a42f2	Regulatory Compliance	GA	BuiltIn
PCI DSS v4	c676748e-3af9-4e22-bc28-50feed564afb	Regulatory Compliance	GA	BuiltIn
SOC 2 Type 2	4054785f-702b-4a98-9215-009cbd58b141	Regulatory Compliance	GA	BuiltIn
Spain ENS	175daf90-21e1-4fec-b745-7b4c909aa94c	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	79c75b38-334b-1a69-65e0-a9d929a42f75

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC