Overview:
The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inspect the privacy notice to determine that the company only shares personal information with subsidiaries, related entities, and selected third parties that process data on behalf of Company, as applicable to the entity.
Related Documents:
1) Privacy notice
2) Privacy policy
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Communicates Privacy Policies to Third Parties—Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed.
2) Discloses Personal Information Only When Appropriate— Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise.
3) Discloses Personal Information Only to Appropriate Third Parties—Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity's privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.
4) Discloses Information to Third Parties for New Purposes and Uses—Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects.
Article ID: 268
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-consent-for-disclosing-personal-information-p6-1-268.html