The institution implements measures to enforce the applicable data protection regulations on transactions of the international agreement as well as on digital certificates.
These measures are based on the corresponding national regulations as well as the conditions established in the agreement.
Guideline code
ICT_08500
Mechanism
Mechanism
- The units responsible for enforcing data protection regulations should establish procedures to ensure the appropriate treatment of personal data in transactions of international agreements as well as in managing digital certificates.
- The units responsible for enforcing data protection should implement:
- Mechanisms for collecting and storing digital certificates in compliance with the applicable data privacy policies and regulations;
- User access mechanisms to protect personal data in certificates. Such mechanisms should enable users to access their personal data stored in certificates, and should ensure that proper consent is obtained when necessary.
- The unit responsible for data protection should establish:
- Certificate transfer mechanisms to third parties, compliant with the applicable data protection regulations;
- Certificate cancellation mechanisms compliant with the applicable data protection regulations.
- The unit responsible for data protection should communicate technical specifications and measures to the unit defining the metadata schema for information to be exchanged, in order to enforce them by design as much as possible.
- The internal audit office should periodically audit and monitor the data protection measures and mechanisms in place.
Structure
Structure
- The management should commission the ICT and other competent units to implement measures enforcing the applicable data protection regulations on transactions of the international agreement as well as on digital certificates. Such data protection regulations include national regulations as well as conditions established in the agreement.
- It is important to highlight that regulatory frameworks oblige institutions to carry out data governance procedures (e.g. integrity, storage and maintenance, data protection, “right to be forgotten”, etc.).
- A common legal framework regarding data protection for the transfer of information between countries could be defined at the international level. The principles may be based on the OECD Privacy Framework and guidelines for trans-border flows of personal data.
- The management should define roles and responsibilities on implementing and managing data protection measures related to transactions and digital certificates.
- The defined data protection policies and measures should follow the institutional data security framework, as well as the recommendations of the current set of Guidelines, particularly Section B.2, Data Security and Privacy.
Title HTML
Guideline 64. Enforcing data protection in transactions and in digital certificates
Type
Guideline_1
Weight
88