Chat with us
Optional Trust Service Criteria

SOC 2 Privacy Criteria
GDPR & Data Subject Rights

Demonstrate your commitment to protecting personal data and honoring data subject rights. Privacy criteria prove you comply with GDPR, CCPA, and other privacy regulations - critical for companies processing EU/California customer data.

What is SOC 2 Privacy Criteria?

Privacy criteria demonstrate that your organization protects personal data and honors data subject rights in accordance with GDPR, CCPA, and other privacy regulations. Unlike Security criteria (which is mandatory), Privacy is optional - but it's critical for companies processing EU or California customer data.

If you process personal data (names, emails, addresses, payment information) from EU or California residents, you should include Privacy in your SOC 2 report to demonstrate GDPR/CCPA compliance.

Optional but Critical for GDPR/CCPA Compliance

Companies processing EU or California customer data need this

Proves Data Subject Rights Compliance

Validates processes for access, rectification, erasure, and portability

Covers Consent Management & Privacy Notices

Demonstrates transparent data practices and user consent

Required by EU/UK Customers

European customers often require Privacy criteria in SOC 2 reports

When to Include Privacy Criteria

EU/UK Customers

Processing personal data of EU/UK residents (GDPR compliance)

California Customers

Processing personal data of California residents (CCPA compliance)

B2C SaaS Platforms

Consumer-facing apps collecting personal information

Healthcare/HR Systems

Systems processing sensitive personal data (health, employment)

8 Key Privacy Controls

Implement these controls to demonstrate personal data protection and meet SOC 2 Privacy criteria requirements.

Privacy Notice & Transparency

Clear privacy notices informing data subjects about data collection, use, and sharing practices.

Key Implementation Points

  • Comprehensive privacy policy published
  • Notice at collection (what data, why, how long)
  • Third-party data sharing disclosures
  • Privacy policy updates communicated to users
  • Privacy notice in plain language (not legalese)

Consent Management

Obtaining and managing user consent for data collection and processing activities.

Key Implementation Points

  • Explicit consent for data collection
  • Opt-in for marketing communications
  • Granular consent options (not all-or-nothing)
  • Consent withdrawal mechanism
  • Consent records maintained and auditable

Data Subject Rights (GDPR)

Processes to honor data subject rights including access, rectification, erasure, and portability.

Key Implementation Points

  • Right to access - provide copy of personal data
  • Right to rectification - correct inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to data portability - export in machine-readable format
  • Response within 30 days (GDPR requirement)

Data Retention & Deletion

Documented data retention policies with automated deletion after retention period expires.

Key Implementation Points

  • Data retention policy documented
  • Retention periods defined by data type
  • Automated deletion after retention period
  • Legal hold procedures for litigation
  • Deletion verification and audit trails

Purpose Limitation

Ensuring personal data is only used for the purposes disclosed in the privacy notice.

Key Implementation Points

  • Data processing purposes documented
  • No secondary use without additional consent
  • Purpose limitation training for employees
  • Data processing agreements with vendors
  • Regular audits of data usage

Data Minimization

Collecting only the minimum personal data necessary for the stated purpose.

Key Implementation Points

  • Data minimization policy documented
  • Regular review of data collection forms
  • Removal of unnecessary data fields
  • Justification for each data element collected
  • Privacy by design in new features

Third-Party Data Sharing Controls

Controls over sharing personal data with third parties including vendors and partners.

Key Implementation Points

  • Data Processing Agreements (DPAs) with vendors
  • Third-party privacy assessments
  • Disclosure of third-party sharing in privacy notice
  • Vendor data handling audits
  • Prohibition of unauthorized data sharing

Privacy Impact Assessments (PIAs)

Systematic assessment of privacy risks for new products, features, or data processing activities.

Key Implementation Points

  • PIA required for new data processing activities
  • Privacy risk identification and mitigation
  • PIA review and approval process
  • PIA documentation maintained
  • Annual PIA reviews for existing systems

Common Privacy Mistakes

Generic Privacy Policy

Using a template privacy policy without customizing it to your actual data practices.

Fix: Document actual data collection, use, and sharing practices. Update privacy policy to reflect reality.

No Data Subject Rights Process

Lacking documented procedures to handle GDPR data subject requests (access, erasure, portability).

Fix: Implement documented process for handling data subject requests with 30-day response SLA.

Implied Consent Instead of Explicit

Assuming consent without explicit opt-in (e.g., pre-checked boxes) violates GDPR.

Fix: Implement explicit opt-in consent with unchecked boxes and clear consent language.

Indefinite Data Retention

Keeping personal data forever without documented retention periods violates data minimization.

Fix: Define retention periods by data type and implement automated deletion after expiration.

Missing DPAs with Vendors

Sharing personal data with vendors without Data Processing Agreements violates GDPR.

Fix: Require DPAs with all vendors processing personal data on your behalf.

No Privacy Impact Assessments

Launching new features without assessing privacy risks can lead to GDPR violations.

Fix: Require PIAs for new data processing activities with privacy risk mitigation.

Frequently Asked Questions

Is Privacy criteria mandatory for SOC 2?

No, Privacy is optional. Only Security criteria (CC1-CC9) is mandatory. However, companies processing EU or California customer data should include Privacy to demonstrate GDPR/CCPA compliance. If you have EU/UK customers or California residents using your platform, you likely need this criteria.

What are the 8 data subject rights under GDPR?

The 8 GDPR data subject rights are: (1) Right to be informed - transparent privacy notices; (2) Right of access - provide copy of personal data; (3) Right to rectification - correct inaccurate data; (4) Right to erasure - delete data (right to be forgotten); (5) Right to restrict processing - limit how data is used; (6) Right to data portability - export in machine-readable format; (7) Right to object - opt-out of processing; (8) Rights related to automated decision-making - human review of automated decisions. You must respond within 30 days.

What's the difference between GDPR and CCPA?

GDPR (EU) applies to processing personal data of EU/UK residents. Requires explicit consent, 30-day response to data subject requests, and has strict penalties (up to 4% of global revenue). CCPA (California) applies to processing personal data of California residents. Allows opt-out instead of opt-in, 45-day response window, and has lower penalties. Both require privacy notices, data subject rights, and data minimization. SOC 2 Privacy criteria can cover both GDPR and CCPA compliance.

How do I handle data subject access requests (DSARs)?

Step 1: Verify identity of requester (prevent unauthorized disclosure). Step 2: Search all systems for personal data (databases, backups, logs, emails). Step 3: Compile data in machine-readable format (CSV, JSON). Step 4: Redact third-party personal data (don't disclose others' data). Step 5: Deliver within 30 days (GDPR) or 45 days (CCPA). Step 6: Document the request and response. Use tools like OneTrust, TrustArc, or build custom DSAR portal.

What evidence will auditors request for Privacy criteria?

Auditors will request: (1) Privacy policy - Published privacy notice with all required disclosures; (2) Consent records - Evidence of explicit consent with timestamps; (3) DSAR logs - Documentation of data subject requests and responses; (4) Data retention policy - Documented retention periods and deletion procedures; (5) DPAs with vendors - Data Processing Agreements with third parties; (6) PIA documentation - Privacy Impact Assessments for new features; (7) Training records - Privacy training completion for all employees.

Do I need a Data Protection Officer (DPO) for SOC 2 Privacy?

GDPR requires a DPO if: (1) You're a public authority; (2) Your core activities involve large-scale systematic monitoring; (3) Your core activities involve large-scale processing of sensitive data. Most SaaS companies don't need a DPO, but you should designate a Privacy Lead responsible for privacy compliance. This person should: (1) Maintain privacy documentation; (2) Handle data subject requests; (3) Conduct PIAs; (4) Train employees on privacy; (5) Serve as point of contact for privacy questions. Can be part-time role combined with legal/compliance.

Ready to Implement SOC 2 Privacy Criteria?

Get expert guidance on GDPR/CCPA compliance, data subject rights, and privacy controls. We've helped 500+ companies achieve SOC 2 Privacy compliance and protect personal data.

30 days
GDPR Response Time
Maximum time to respond to data subject requests
₹6-10L
Implementation Cost
Includes Security + Privacy criteria
4-6 mo
Implementation Time
From gap analysis to audit-ready

SOC 2 Privacy Criteria Services

Expert SOC 2 consulting for USA, UK, Australia markets - delivered from India with 40-60% cost savings

🏙️Mumbai
🏛️Delhi
💻Bangalore
🌆Hyderabad
🏢Gurgaon
🎓Pune