Criminal Record Information Collection Not Disclosed in Privacy Policy

Criminal Record Information Collection Not Disclosed in Privacy Policy

Risk: medium

Description

The application collects information relating to criminal convictions or offences, but the privacy policy does not disclose this. This type of data is subject to very strict controls under privacy regulations like GDPR Article 10. Failure to inform users and adhere to specific legal grounds for processing this data is a serious violation and can have severe consequences.

Recommendation

Immediately update your application's privacy policy to explicitly state if and how information relating to criminal convictions or offences is collected and processed. Clearly detail the specific legal basis that permits this processing, the purposes for collection, how the data is used, stored with the highest level of security, and its retention period. Ensure full compliance with all legal requirements.

Links

• GDPR Article 10 - Processing of personal data relating to criminal convictions and offences
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• GDPR:
  • ART_5
  • ART_6
  • ART_10
  • ART_12
  • ART_13
  • ART_25
  • ART_32
  • ART_35
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_110
  • CCPA_1798_150
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3
  • CC_6_1
• CNIL_FOR_EDITORS:
  • EDITORS_1_2_5
  • EDITORS_3_1_1
  • EDITORS_3_1_2