2.4.16 Device Ownership Transfer
This section’s intended audience is for those personnel who are responsible for Data Protection and Device Ownership management.
| Req No | Requirement | Primary Keyword | Secondary Keyword | Compliance Class And Applicability |
|---|---|---|---|---|
| 2.4.16.1 | Where a device may have its ownership transferred to a different owner, the supplier or manufacturer of any devices and/or services shall provide information about how the device(s) removal and/or disposal or replacement shall be carried out to maintain the end user’s privacy and security, including deletion of all Personal Information from the device and any associated services. This option must be available when a transfer of ownership occurs or when an end user wishes to delete their Personal Information from the service or device. | Business | Process | Mandatory for Class 1 and above |
| 2.4.16.2 | Where a device User wishes to dispose of the device or end the service, the supplier or manufacturer of any devices and/or services shall provide information about how the device(s) removal and/or disposal or replacement shall be carried out to maintain the end user’s privacy and security, including secure erasure of all Personal Information from the device and deletion of personal information from any associated services (other than that required for legitimate reasons such as billing). A clear confirmation is provided to the user. Examples of a user include a renter of accommodation, a vehicle or medical aids. | Business | Process | Mandatory for Class 1 and above |
| 2.4.16.3 | The Service Provider should not have the ability to do a reverse lookup of device ownership from the device identity. | Business | Process | Mandatory for Class 1 and above |
| 2.4.16.4 | If ownership change is required/allowed, the device must have an irrevocable method of decommissioning and recommissioning. | System | Software | Mandatory for Class 1 and above |
| 2.4.16.5 | The device registration with the Service Provider shall use a secure connection. | Business | Process | Mandatory for Class 1 and above |
| 2.4.16.6 | The device manufacturer ensures that the exposed identity of the device cannot be linked by unauthorised actors to the end user, to ensure anonymity and comply with relevant local data privacy laws e.g. GDPR [EU.GDPR]1 in the EU. | Business | Policy | Mandatory for Class 1 and above |
| 2.4.16.7 | Where transfer of a device to a new end user is supported, user settings and confidential user data on the device should be reliably erasable by triggering a user reset function. This is so the new user can be confident in the device state and also so the previous user can be confident their data has been unrecoverably erased to maintain confidentiality (see alongside 2.4.12.13 and 2.4.12.11). | Business | Policy | Mandatory for Class 1 and above |
Footnotes
-
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). ↩