Help Center/ Well-Architected Framework/ Well-Architected Framework and Practices/ Security Pillar/ Data Security and Privacy Protection/ SEC08 Data Privacy Protection/ SEC08-06 Compliance of Personal Data Disclosure to Third Parties
Updated on 2025-05-22 GMT+08:00
View PDF
Share

SEC08-06 Compliance of Personal Data Disclosure to Third Parties

When sharing, transferring, or providing personal data to a third party, the data controller must comply with relevant laws, regulations, and privacy protection guidelines to ensure that data transfer activities comply with laws and regulations and respect data subjects' rights.

  • Risk level

    High

  • Key strategies
    • The product team needs to evaluate whether personal data is pushed to third-party applications. Evaluate whether highly sensitive user data is pushed without users' explicit consent. In addition, check whether third-party applications provide a proper protection mechanism for shared data.
    • Obtain users' consent before transferring their personal data to third parties and comply with the lawfulness principle.
    • The purposes and scope of the transfer must be limited to what has been stated for the collection.
    • Keep the personal data integral, accurate, and up to date. Prevent personal data from being tampered with, deleted, or abused in any phase.
    • The exporter must obtain an explicit promise from the receiver to ensure the integrity, accuracy, and security of personal data and prevent abuse or unauthorized disclosure.
    • If high-impact personal data (e.g. passwords, bank accounts, and batch personal data) needs to be transmitted, encrypt it before transmission or transfer it through a secure channel.
    • If cross-border data transfer is involved, comply with local laws and regulations.