DRPV-14

Do you certify stop-processing requests, including any data that is processed by a third party on your behalf?

Explanation

This question is asking whether your organization has a formal process to honor 'stop-processing requests' from individuals regarding their personal data, including when that data is handled by third parties working on your behalf. A 'stop-processing request' refers to an individual's right to request that an organization cease processing their personal data. This is a fundamental privacy right under regulations like GDPR (right to restriction of processing), CCPA/CPRA (right to opt-out), and other privacy laws. The question is being asked in a security assessment because: 1. Regulatory compliance: Organizations must comply with privacy regulations that grant individuals control over their personal data. 2. Data governance: It demonstrates your ability to maintain control over data throughout its lifecycle, even when shared with third parties. 3. Privacy by design: It shows your commitment to respecting individual privacy rights as part of your overall security posture. 4. Third-party risk management: It verifies that you maintain control over data privacy even when data is shared with vendors or partners. To best answer this question, you should: 1. Describe your formal process for receiving and handling stop-processing requests. 2. Explain how you verify the identity of individuals making such requests. 3. Detail the timeline for responding to and implementing these requests. 4. Explain how you ensure third parties comply with these requests. 5. Reference relevant documentation like your privacy policy, data processing agreements with third parties, and internal procedures. 6. If possible, provide metrics on past requests (e.g., average response time).

Guidance

Provide evidence of existing processes or policies. The internal privacy policy should explain your organization's policies and practices regarding the collection of personal information and other data about individuals.

Example Responses

Example Response 1

Yes, we have a comprehensive process for handling stop-processing requests that extends to our third-party processors Our Privacy Policy (available at example.com/privacy) explicitly states individuals' rights to request cessation of data processing We maintain a dedicated privacy portal where individuals can submit these requests, which are then tracked in our compliance management system Upon receipt, our Data Privacy Office verifies the requester's identity, logs the request, and initiates our stop-processing workflow within 24 hours This includes flagging the relevant data in our systems and notifying all applicable third parties within 48 hours via our vendor management platform Our Data Processing Agreements with all third parties include a mandatory clause (Section 4.3) requiring them to honor stop-processing requests within 72 hours of notification We audit third-party compliance quarterly and maintain a compliance dashboard showing that we've processed 98% of stop-processing requests within our 7-day SLA over the past year We can provide redacted examples of our request handling documentation and third-party notification templates upon request.

Example Response 2

Yes, our organization certifies stop-processing requests for all personal data, including data processed by third parties We implement this through our Rights Request Management System, which allows individuals to submit requests via our website, email, or phone Our Data Governance team reviews each request within 2 business days, authenticates the requestor using a two-factor verification process, and then implements technical controls to halt processing For data handled by third parties, we maintain an inventory of all processors in our Data Mapping tool and have established an automated notification system that alerts these partners within 24 hours of a verified request Our third-party contracts (specifically Article 7) require processors to implement stop-processing requests within 5 business days and provide confirmation once completed We conduct annual audits of our third parties' compliance with these obligations and have implemented a technical solution that revokes API access to the data when a stop-processing request is approved Our internal procedures document PR-107 (Data Subject Rights Fulfillment) details this entire process, and we can provide this documentation for review.

Example Response 3

No, we currently do not have a formal process for certifying stop-processing requests that extends to third parties While we do honor requests to stop processing data within our own systems through an ad-hoc process managed by our IT team, we have not yet implemented a systematic approach for notifying our third-party data processors when such requests are received Our current privacy policy mentions individuals' rights to request data deletion but does not specifically address stop-processing requests We recognize this as a gap in our privacy program and have initiated a project to develop a comprehensive data subject rights management process, including stop-processing capabilities The project includes developing standardized language for our third-party agreements, implementing a tracking system for privacy requests, and establishing verification protocols We expect to have this capability fully implemented within the next 6 months, with the first phase focusing on our internal processes launching in 60 days.

Context

Tab
Privacy
Category
Data Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron