GDPR Register | Compliance tool for privacy experts

Direct marketing rules and exceptions under the GDPR

Sarune Zybartaite — Mon, 02 Nov 2020 12:52:06 +0000

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities of direct marketing may include multiple steps:

collecting personal data from potential customers,
creating profiles about those potential customers and their preferences,
and then sending personalized communications to them.

As a general rule for direct marketing, the company needs a consent from a customer. However, there are several exceptions when it’s allowed to send the emails to the customers without asking for a consent.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. But it’s not so easy. Direct electronic marketing is currently regulated under the ePrivacy Directive, which generally requires opt-in consent before engaging in such activity. This means, that in most cases, even if you are relying on legitimate interests, the ePrivacy Directive would still require consent. However, there is an exception—marketing emails may be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service,”(Directive 2002/58/EC, Article 13(2).). Please bear in mind that this exception has been implemented differently by the EU member states and some differences may apply, especially in case of B2B communication..

In case of B2B communication, company representative can be contacted for direct marketing purposes for business related products or services through electronic mail without their prior consent but only in the context of the position they hold. Therefore, there are additional exceptions for B2B direct marketing rules.

Article 21 of the GDPR states that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing” and that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”even if opt-in consent is not required before sending marketing emails, the GDPR requires that the recipient always be provided with an opportunity to opt-out of receiving such emails.

Following table will provide you a bit more structured view on possible legal bases for direct marketing activities under GDPR and ePrivacy Directive.

	Newsletters and direct marketing to the customer	Service notifications	Profiled direct marketing	Providing similar products or services in the context of a customer relationship
Explanation	Regular newsletters or messages (cold emails).	The company receives electronic contact details of the customer in connection with the sale of the product or the provision of the service. Welfare notifications.	Customer behaviour patterns (based on purchase history) are used for targeted messages.	The company receives electronic contact details of the customer in connection with the sale of the product or the provision of the service. Contact information for direct sales of similar products or services to the customer may be used.
Basis of data processing	Consent or clear declaration of will, for example, entering an email on the company’s website in the newsletter field or click at tickbox. Must be able to get out of direct marketing. Opt-in and Opt-out	Legitimate interest to send notices- you can rely on legitimate interests for marketing activities. However, in case you have to show that you use people’s data proportionately. Meaning, it has a minimal privacy impact, and people would not be likely to object. Opt-out	Consent, e.g. acceptance of personal data processing. The right to object at any time to the processing of personal data. The information shall be provided clearly and separately from any other information. Opt-in and Opt-out	The previous sale of a product or service. During the initial collection of data, and whenever the data is used, the customer has a clear and understandable way to prohibit the use of such contact information in a free and easy way. Opt-out
Legal provisions	Directive 2002/58/EU article 13 section 1	GDPR preamble 47; GDPR article 6 (f)	GDPR article 21 section 2	Directive 2002/58/EU article 13 section 2

The post Direct marketing rules and exceptions under the GDPR appeared first on GDPR Register | Compliance tool for privacy experts.

Personal Data Breach Reporting Requirements Under the GDPR

Sarune Zybartaite — Fri, 30 Oct 2020 13:28:53 +0000

What is Data Breach?

A personal data breach is security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Personal data breaches can include:

access by an unauthorized third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.

According to GDPR article 33, data controller has to report certain types of personal data breaches to the Data Protection Authority (DPA) within 72 hours after becoming aware of the breach.

In what circumstances do you need to report a data breach?

If you experience a personal data breach you need to consider whether this poses a risk to affected individuals. You need to consider the likelihood and severity of the risk to individual’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the DPA. If the risk is unlikely to happen then you don’t have to report, but you have to record the breach in your Breach Register.

Breach Register will be launched soon

Let us know if you would like to be notified and see the demo.

Click Here to Register Your Interest

Days

Hours

Minutes

Seconds

Reporting the breach to Data Protection Authority

A notifiable breach must be reported to the DPA without undue delay, but not later than 72 hours after becoming aware of it. If you will notify DPA later than 72 hours, you must provide reasons for the delay.

When reporting a personal data breach, you will have to provide following information::

a description of the nature of the breach including, where possible:
the categories and approximate number of individuals concerned; and
the categories and approximate number of personal data records concerned;
the name and contact details of the DPO (if your organisation has one) or another contact point to obtain information;
a description of the likely consequences of the personal data breach; and
a description of the measures taken or proposed to be taken, to deal with the personal data breach. Also, including, where appropriate, the measures taken to mitigate any possible adverse effects.

It may happen that it’s not possible to provide immediately all information listed above. You may provide such information in phases.

The notification has to be done to Data Protection Authority of the location of controller company. Contacts of EU Data Protection Authorities by countries can be found here.

Notifying Data Subjects about the Data Breach

Some breaches are likely to result a high risk to the rights and freedoms of individuals. In such situation, controller must inform affected individuals directly and without undue delay. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of the breach. You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

the name and contact details of your data protection officer (if your organisation has one) or another contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

Should Processor report a Data Breach?

If your organisation is a data processor, and your suffer a data breach, you have to inform your controller without undue delay as soon as you become aware of the breach. There may be special conditions of reporting defined by data controller. The requirements for breach reporting should be detailed in the Data Processing Agreement between you and your controller.

Stop wasting time on spreadsheets and get into control of your compliance documentation

The post Personal Data Breach Reporting Requirements Under the GDPR appeared first on GDPR Register | Compliance tool for privacy experts.

Records of processing activities in GDPR Article 30

admin — Thu, 22 Oct 2020 11:30:02 +0000

What do companies have to include in the records of processing activities?

GDPR Article 30 requires companies to keep an internal record, which contains the information of all personal data processing activities carried out by the company.

According to the General Data Protection Regulation (GDPR) Article 30, records of processing activities (RoPAs) must include significant information about data processing, including:

data categories,
the group of data subjects,
the purpose of the processing and
the data recipients.

This must be made available to authorities upon request.

Which companies are obliged to keep records of processing activities?

Each company who meets at least one of the following conditions has to keep a record of data processing activities:

Processing personal data periodically (not occasionally). Meaning, if you have a website, or you have some customer who are periodically ordering goods or services from you, you are periodically processing personal data.
Having more than 250 employees. This requirement can be different per country.
Processing any amount of sensitive and private data (concerning health, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical belief, criminal records, etc.).

Also companies who carry out any of the following activities are obliged to keep the records:

Evaluating work-related performance,
Monitoring individuals behavior, location and/or movements,
Providing insurance, investment, and financial services to private individuals,
Providing a loyalty schema (e.g. customer card) in a retail business,
Registering/collecting customer information,
Compiling the marketing profile of customers,
Providing rent services for recruitment or personnel,
Collecting people data related to gambling,
Collecting data related to children, the elderly, mentally ill persons,
Matching and combining personal data originated from various sources (big data),
Transmitting personal data outside the European Union (includes the cases the personal data is kept in servers located outside of EU).

How to store records of data processing activities?

It is important to know that all the records must be kept in an electronic form and be updated regularly.

If your company is obliged to appoint a Data Protection Officer (DPO), then the DPO is responsible for keeping the records of processing activities.

GOOD TO KNOW:
There are several templates available at GDPR Register, which help to identify what information should be recorded about the data processing activities and how should it be structured.

What exactly has to be documented?

If you are a data controller, according to GDPR Article 30 you are obliged to document the following:

Your company’s name and contact details.
If applicable, the name and contact details of Data Protection Officer.
The purposes of the processing – why you use personal data (customer management, employment, marketing, sales).
The categories of individuals (e.g. employees, customers).
The categories of personal data you process (e.g. contact details, health data).
The categories of recipients of personal data (e.g. collaboration partners, third parties, tax department, university).
If applicable, the name of any third countries or international organisations that you transfer personal data to.
If applicable, the safeguards in place for exceptional transfers of personal data to third countries or international organisations.
If possible, the retention schedules for the different categories of personal data.
If possible, a general description of your technical and organisational security measures (e.g. encryption, employee training, access restrictions to contracts and other personal data, anonymisation, etc).

Save up to 70% of your time by using GDPR Register for creating and maintaining you records of processing activities. You will get get well structured basis for all rest of your compliance documentation.

More to read on this topic: The lawful basis for Data Processing under the GDPR

Save your time, get things done!

It's no risk 14-day trial. You will be able to see how our predefined template approach will save your time and bring clarity into your GDPR Article 30 register, you will be able to connect register of Data Processing Agreements and get use of other templates of our compliance package.

Try 14 days for free

The post Records of processing activities in GDPR Article 30 appeared first on GDPR Register | Compliance tool for privacy experts.

Data Protection Authorities (DPA)

Aleksander Uibo — Wed, 21 Oct 2020 14:50:51 +0000

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State.

Generally speaking, the main contact point for questions on data protection is the DPA in the EU Member State where your company/organisation is based. However, if your company/organisation processes data in the different EU Member States or is part of a group of companies established in the different EU Member States, that main contact point may be a DPA in another EU Member State.

European Data Protection Supervisor

Rue Wiertz 60
1047 Bruxelles/Brussel
Office: Rue Montoyer 30, 6th floor
Tel. +32 2 283 19 00
Fax +32 2 283 19 50
email: edps@edps.europa.eu
Website: http://www.edps.europa.eu/EDPSWEB/

Member: Mr Wojciech Wiewiórowski, European Data Protection Supervisor

Austria

Österreichische Datenschutzbehörde

Barichgasse 40-42
1030 Wien
Tel. +43 1 52152 2550
email: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/

Member: Dr Andrea JELINEK, Director

Belgium

Autorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)

Rue de la Presse 35 – Drukpersstraat 35
1000 Bruxelles – Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
email: contact@apd-gba.be
Website: https://www.autoriteprotectiondonnees.be/ – https://www.gegevensbeschermingsautoriteit.be/

Member: Mr David Stevens, President

Bulgaria

Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. + 359 2 915 3580
Fax +359 2 915 3525
email: kzld@cpdp.bg
Website: https://www.cpdp.bg/

Member: Mr Ventsislav KARADJOV, Chairman of the Commission for Personal Data Protection

Croatia

Croatian Personal Data Protection Agency
Selska Cesta 136
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
email: azop@azop.hr
Website: http://www.azop.hr/

Member: Mr Zdravko Vukić, Director

Cyprus

Commissioner for Personal Data Protection
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
email: commissioner@dataprotection.gov.cy
Website: http://www.dataprotection.gov.cy/

Member: Ms Irene LOIZIDOU NIKOLAIDOU, Commissioner for Personal Data Protection

Czech Republic

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
email: posta@uoou.cz
Website: http://www.uoou.cz/

Member: Ms Ivana JANŮ, President

Denmark

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Tel. +45 33 1932 00
Fax +45 33 19 32 18
email: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/

Member: Ms Cristina Angela GULISANO, Director

Estonia

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39
10134 Tallinn
Tel. +372 6828 712
email: info@aki.ee
Website: http://www.aki.ee/

Member: Ms Pille Lehis, Director General

Finland

Office of the Data Protection Ombudsman
P.O. Box 800
FI-00531 Helsinki
Tel. +358 29 56 66700
Fax +358 29 56 66735
email: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/

Member: Mr Reijo AARNIO, Ombudsman

France

Commission Nationale de l’Informatique et des Libertés – CNIL
3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
contact: https://www.cnil.fr/en/contact-cnil
Website: http://www.cnil.fr/

Member: Ms Marie-Laure DENIS, President of CNIL

Germany

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
53117 Bonn
Tel.: +49 228 997799 0
Fax: +49 228 997799 5550
email: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/

Member and joint representative: Mr Prof. Ulrich KELBER, The Federal Commissioner for Data Protection and Freedom of Information

The competence for complaints is split among different data protection supervisory authorities in Germany.
Competent authorities can be identified according to the list provided under www.bfdi.bund.de/anschriften.

Greece

Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
email: contact@dpa.gr
Website: http://www.dpa.gr/

Member: Mr Konstantinos Menoudakos, President of the Hellenic Data Protection Authority

Hungary

Hungarian National Authority for Data Protection and Freedom of Information

Falk Miksa utca 9-11
H-1055 Budapest
Tel. +36 1 3911 400
email: privacy@naih.hu
Website: http://www.naih.hu/

Member: Dr Attila PÉTERFALVI, President of the National Authority for Data Protection and Freedom of Information

Ireland

Data Protection Commission
21 Fitzwilliam Square
Dublin 2
D02 RD28
Ireland
Tel. +353 76 110 4800
email: info@dataprotection.ie
Website: http://www.dataprotection.ie/

Member: Ms Helen DIXON, Data Protection Commissioner

Italy

Garante per la protezione dei dati personali
Piazza Venezia, 11
00187 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
email: protocollo@gpdp.it
Website: http://www.garanteprivacy.it/

Member: Mr Antonello SORO, President of Garante per la protezione dei dati personali

Latvia

Data State Inspectorate
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
email: info@dvi.gov.lv
Website: http://www.dvi.gov.lv/

Member: Ms Jekaterina Macuka, Director of Data State Inspectorate

Lithuania

State Data Protection Inspectorate
L. Sapiegos str. 17
LT-10312 Vilnius
Tel. +370 5 271 2804 / +370 5 279 1445
Fax +370 5 261 9494
email: ada@ada.lt
Website: http://www.ada.lt/

Member: Mr Raimondas Andrijauskas, Director of the State Data Protection Inspectorate

Luxembourg

Commission Nationale pour la Protection des Données
15, Boulevard du Jazz
L-4370 Belvaux
Tel. +352 2610 60 1
Fax +352 2610 60 6099
email: info@cnpd.lu
Website: http://www.cnpd.lu/

Member: Ms Tine A. LARSEN, President of the Commission Nationale pour la Protection des Données

Malta

Office of the Information and Data Protection Commissioner
Second Floor, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
email: idpc.info@idpc.org.mt
Website: http://www.idpc.org.mt/

Member: Mr Saviour CACHIA, Information and Data Protection Commissioner

Netherlands

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Contact: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/informatie-en-meldpunt-privacy
Website: https://autoriteitpersoonsgegevens.nl/nl

Member: Mr Aleid WOLFSEN, Chairman of the Autoriteit Persoonsgegevens

Poland

Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 531 03 00
Fax +48 22 531 03 01
email: kancelaria@uodo.gov.pl; zwme@uodo.gov.pl
Website: https://uodo.gov.pl/

Member: Mr Jan NOWAK, President of the Personal Data Protection Office

Portugal

Comissão Nacional de Protecção de Dados – CNPD
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
email: geral@cnpd.pt
Website: http://www.cnpd.pt/

Member: Ms Filipa CALVÃO, President, Comissão Nacional de Protecção de Dados

Romania

The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 31 805 9211
Fax +40 31 805 9602
email: anspdcp@dataprotection.ro
Website: http://www.dataprotection.ro/

Member: Ms Ancuţa Gianina OPRE, President of the National Supervisory Authority for Personal Data Processing

Slovakia

Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
email: statny.dozor@pdp.gov.sk
Website: http://www.dataprotection.gov.sk/

Slovenia

Information Commissioner of the Republic of Slovenia
Dunajska 22
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
email: gp.ip@ip-rs.si
Website: https://www.ip-rs.si/

Member: Ms Mojca PRELESNIK, Information Commissioner of the Republic of Slovenia

Spain

Agencia Española de Protección de Datos (AEPD)
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
email: internacional@aepd.es
Website: https://www.aepd.es/

Member : Ms María del Mar España Martí, Director of the Spanish Data Protection Agency

Sweden

Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
email: datainspektionen@datainspektionen.se
Website: http://www.datainspektionen.se/

Member: Ms Lena Lindgren Schelin, Director General of the Data Inspection Board

In accordance with the European Economic Area (EEA) agreement, as from 20 July 2018, the EEA countries, Iceland, Lichtenstein, Norway, became members of the European Data Protection Board without voting right and without the right to be elected as chair and vice-chair, for GDPR related matters (see the EEA fact sheet)

Iceland

Persónuvernd
Rauðarárstígur 10
105 Reykjavík
Tel: +354 510 9600
email: postur@dpa.is
Website: https://www.personuvernd.is or https://www.dpa.is

Ms Helga Þórisdóttir, Commissioner

Liechtenstein

Data Protection Authority, Principality of Liechtenstein
Städtle 38
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
email: info.dss@llv.li
Website: https://www.datenschutzstelle.li

Member: Dr Marie-Louise Gächter, Commissioner

Norway

Datatilsynet
Tollbugata 3
0152 Oslo
Tel +47 22 39 69 00
email: postkasse@datatilsynet.no
Website: www.datatilsynet.no

Member: Mr Bjørn Erik THON, Director-General

Source: EDPB

Photo by Guillaume Périgois on Unsplash

The post Data Protection Authorities (DPA) appeared first on GDPR Register | Compliance tool for privacy experts.

Data Processing Agreement (DPA)

Aleksander Uibo — Tue, 22 Sep 2020 15:48:22 +0000

What is a DPA?

A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the scope and purpose of processing, as well as the relationship between the controller and the processor. The contract is important so that both parties understand their responsibilities and liabilities.

Why businesses need Data Processing Agreement?

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may be website analytics software, cloud storage, CRM or marketing platform, and whether you are controller, processor, sub-processor or joint controller, you have to construct a lawful Data Processing Arrangement with the party you exchange personal information.

GDPR does not have legal restrictions on the form of the Data Processing Agreement, however, if processor is located outside EU and international data transfer happens, there are some specific requirements to the format of documentation, for example standard contractual clauses, corporate binding rules., etc.

Considering the complexity of the task, it’s advisable to have a data processing agreement as a separate document.

Do I need to have a Data Processing Agreement?

If you exchange personal data with other parties, you should have a Data Processing Agreement in place. Articles 28 through 36 of the GDPR cover the requirements for data processing and data processing agreements. Let’s have a look at a bit more specific responsibilities of different roles.

Controller

The controller is responsible for establishing a lawful data process and observing the rights of data subjects. The controller defines the way how data processing takes place and at what conditions. The controller must have a data processing agreement with its processors.

Example: Company A collects itself customer data and stores it in an online SaaS CRM system provided by company B. In such a case, company A is controller and company B is a processor.

Processor

The data processor should handle the data exclusively in the manner demanded by the controller. Processor must have adequate information security in place, shouldn’t use sub-processors without the knowledge and consent of the controller, must cooperate with the authorities in the event of an enquiry, must report data breaches to the controller as soon as they become aware of them, must give the data controller the opportunity to carry out audits examining their GDPR compliance, must help the controller to comply with data subjects’ rights, must assist the data controller in managing the consequences of data breaches, must delete or return all personal data at the end of the contract at the choice of the controller, and must inform the controller if the processing instructions infringe GDPR.

Sub-processor

Sub-processor performs data processing on behalf of the processor. Data processors should have a data processing agreement with any sub-processors they use. The processor shouldn’t engage sub-processors without the prior consent of the controller.

Example: Company B provides an online SaaS CRM system, which is hosted on a platform of company C. As company B is the processor, company C is deemed as sub-processor.

Joint Controller

Article 26 defines joint controllers as two or more controllers jointly determining the purposes and means of processing. Regardless of those arrangements, each controller remains responsible for complying with all the obligations of controllers under the GDPR. Joint controllers are not required to have a contract, but you must have a transparent arrangement that sets out your agreed roles and responsibilities. Such information should be available to data subjects.

Example: A travel agency collects some portion of customer’s personal information (name and email) to book a hotel, then hotel collects the rest of information (address, verifies ID, etc). As both perform a part of the same process, they are joint controllers..

What should be included in a data processing agreement?

Articles 28 through 36 of GDPR set conditions of data exchange and conditions of personal data between controller and processors. Here are the most important subjects you have to cover in your data processing agreement.

Details about processing

the subject matter and duration of the processing;
the nature and purpose of the processing;
the type of personal data and categories of data subject;
purpose and legal basis of personal data processing;
the controller’s and processor’s rights and responsibilities.

Minimum required terms

The processor must act in accordance with written instructions of the controller

The agreement must say that the processor may only process personal data in line with the controller’s documented instructions (including when making an international transfer of personal data) unless it is required to do otherwise by EU or member state law.

An instruction can be documented by using any written form, including email. The instruction must be in a reproducible form, so that there is a record of the instruction.

This contract term should make it clear that it is the controller, rather than the processor, that has overall control of what happens to the personal data.

If a processor acts outside of the controller’s instructions in such a way that it decides the purpose and means of processing, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.

Confidentiality of processed personal data

The agreement has to say that the processor must obtain a commitment of confidentiality from anyone it allows to process the personal data, unless that person is already under such a duty by statute.

This contract term should cover the processor’s employees as well as any temporary workers and third-party workers who have access to the personal data.

Obligation to have adequate information security in place, technical and organisational measures to be met

The agreement sets obligation on the processor to take all security measures necessary to meet the requirements on the security of processing (see Article 32).

Both controllers and processors are obliged to put in place appropriate technical and organisational measures to ensure the security of any personal data they process which may include, as appropriate:

encryption and pseudonymisation;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore access to personal data in the event of an incident; and
processes for regularly testing and assessing the effectiveness of the measures.

Codes of conduct and certification may help processors to demonstrate sufficient guarantees that their processing will comply with the GDPR.

The requirement to use sub-processors only with the data controller’s knowledge and consent

The agreement must say that:

the processor should not engage a sub-processor without the controller’s prior specific or general written authorisation;
if a sub-processor is employed under the controller’s general written authorisation, the processor should let the controller know of any intended changes and give the controller a chance to object to them;
if the processor employs a sub-processor, it must put a contract in place imposing the same data protection obligations on that sub-processor;
the processor is liable to the controller for a sub-processor’s compliance with its data protection obligations.

Cooperation of processor for the purpose of resolving subject access requests

The agreement has to provide for the processor to take appropriate technical and organisational measures to help the controller respond to requests from individuals to exercise their rights.

Cooperation of processor for the purpose of protecting the rights and privacy of data subjects

The agreement has to say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:

keep personal data secure;
notify personal data breaches to the supervisory authority;
notify personal data breaches to data subjects;
carry out data protection impact assessments (DPIAs) when required; and
consult the supervisory authority where a DPIA indicates there is a high risk that cannot be mitigated.

The agreement should be as clear as possible about how the processor will help the controller meet its obligations.

Duration of the processing and returning and/or deletion of personal data

The agreement has to say that at the end of the contract the processor must:

at the controller’s choice, delete or return to the controller all the personal data it has been processing for it; and
delete existing copies of the personal data unless EU or Member State law requires it to be stored.

It should be noted that deletion of personal data should be done in a secure manner, in accordance with the security requirements of Article 32.

The agreement has to include these terms to ensure the continuing protection of the personal data after the contract ends. This reflects the fact that it is ultimately for the controller to decide what should happen to the personal data being processed, once processing is complete.

The processor should allow the data controller to carry out audits examining their compliance

Under Article 28(3)(h) the agreement has to require:

the processor to provide the controller with all the information that is needed to show that the obligations of Article 28 have been met; and
the processor to allow for, and contribute to, audits and inspections carried out by the controller, or by an auditor appointed by the controller.

This provision obliges the processor to be able to demonstrate compliance with the whole of Article 28 to the controller. For instance, the processor could do this by giving the controller the necessary information or by submitting to an audit or inspection.

Keeping records of the processing activities would be useful for the processor to demonstrate compliance with Article 28. Requirements for processors to maintain records of their processing activities are set out in Article 30(2).

Other requirements

If required by GDPR, the data processor shall appoint a Data Protection Officer and both parties must agree on periodic review of terms of the agreement.

Need registry of data processing agreements?

The post Data Processing Agreement (DPA) appeared first on GDPR Register | Compliance tool for privacy experts.

GDPR compliance checklist for controllers

Aleksander Uibo — Tue, 08 Sep 2020 13:36:26 +0000

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important aspects of the GDPR. Before starting, you should first determine whether you process personal data as a “controller” or “processor”. The definition of these two terms can be found in our “GDPR Basics: Are you a Controller or a Processor?” article.

GDPR Compliance Checklist section 1: Data mapping and records of processing activities

Conduct information audit to map personal data flows

organise an information audit across your organisation to identify the data that you process and how it flows into, through and out of your organisation;
involve stakeholders with in-depth knowledge of your working practices;
create a register of third parties with whom you may share personal information.

Document what personal data you hold, where it came from, who you share it with and what you do with it.

maintain records of processing activities detailing what personal data you hold, where it came from, who you share it with and what you do with it;
records of processing activities should be kept in electronic form;
ensure you have procedures to share this information with stakeholders and maintain ongoing changes when needed

Recommendation: save 70% of your time spent on records of processing activities by using GDPR Register.

Identify your lawful bases for processing and documented them.

look at the various types of data processing you have documented in the section above;
identify your lawful bases for carrying it out;
document it into your records of processing activities.

GDPR Compliance Checklist section 2: Actions basing on specific legal bases

Consent

Review how you ask for and record consent.

Identify from your records of processing activities which activities use consent as a legal basis of processing.
Make sure you obtain valid consent from individuals.
Make sure individuals can withdraw consent at any time.
Don’t make consent a precondition of service.

Create systems to record and manage ongoing consent.

Keep a record of when and how you got consent from the individual.
Keep a record of the consent form and texts provided in it.

If you process data on basis of vital interests of an individual, document the circumstances where it will be relevant. Document your justification for relying on this basis and informs individuals where necessary.

ensure guidance is available for staff on the circumstances where they need to use this lawful basis for processing;
review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future; and then
document where you rely on this basis and inform individuals if relevant.

If you are relying on legitimate interests as the lawful basis for processing, apply the three-part test and demonstrate you have fully considered and protected individual’s rights and interests.

conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that you can justify your decision;
if your LIA identifies significant risks, consider whether you need to do a data protection impact assessment (DPIA) to assess the risk and potential mitigation in more detail;
keep your LIA under review, and repeat it if circumstances change; and
include information about your legitimate interests in your privacy information.

GDPR Compliance Checklist section 3: Rights of individuals

Make Privacy Notice readily available to individuals.

let individuals know who you are, why you are processing their data and who you share it with;
be concise and to the point;
be easy to understand;
be clearly signposted and easy to access;
be written in clear and plain language, particularly if addressed to a child;
be free of charge;
include different information depending on whether you obtained the data directly from the individual or not;
explain the risks involved in the processing and the safeguards you have put in place.

Establish a process to recognise and respond to individuals’ requests to access their personal data.

ensure a process is in place to allow you to recognise and respond to any requests for personal data within the timescales ;
establish a policy on how to record any requests you receive verbally;
include right of access procedures within your data protection policy;
provide awareness training to all staff and specialist training to individuals who deal with any requests.

Make sure you have processes in place to ensure that the personal data you hold remains accurate and up to date.

implement procedures to allow individuals to challenge the accuracy of the information you hold about them and have it corrected if necessary;
create records management policies, with rules for creating and keeping records (including emails);
conduct regular data quality reviews of systems and manual records you hold to ensure the information continues to be adequate for the purposes of processing;
regularly review information to identify when you need to correct inaccurate records, remove irrelevant ones and update out-of-date ones.

Implement a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be deleted.

have procedures in place that allow individuals to request the deletion or erasure of information you hold about them if there is no compelling reason for you to continue processing it;
have procedures to inform any other organisations you have shared the information with about the request for erasure;
introduce procedures, if the data has been made public in an online environment, to inform other controllers who are processing the personal data to erase links to, copies or replication of that data;
have procedures to delete information from any back-up systems;
implement a written retention policy or schedule to remind you when to dispose of various categories of data, and help you plan for its secure disposal;
regularly review the retention schedule to make sure it continues to meet business and statutory requirements.

Make sure you have procedures in place to respond to an individual’s request to restrict the processing of their personal data.

review your procedures to determine where you may be required to restrict the processing of personal data;
implement a process that enables individuals to submit a request to you; have a process to act on an individual’s request to block or restrict the processing of their personal data;
have procedures to inform any other organisations you have shared the information with, if possible;
inform individuals when you decide to lift a restriction on processing.

Make sure you have processes in place to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

implement a process that will enable individuals to submit a request to you;
have a process to allow you to recognise and respond to any individual requests in line with your legal obligations and statutory timescales;
provide the personal data in a structured, commonly used and machine readable format;
ensure that the medium in which you provide the data has appropriate technical measures in place to protect the data it contains;
ensure that the medium in which you provide the data allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance.

Make sure you have procedures in place to handle an individual’s objection to the processing of their personal data.

review your processes and privacy information to ensure you inform individuals of their right to object “at the point of first communication”. You should display or give this information clearly and separately from any other information;
implement a process that will enable individuals to submit an objection request (this could include an online option);
provide training or raise awareness amongst your staff to ensure they are able to recognise and respond (or know where to refer the request to) to an objection raised by an individual;
establish a policy on how to record any objections you receive verbally; have procedures in place to consider the individual’s objection to the processing of their personal data and record the outcome;
have processes to demonstrate, where appropriate, your reasons to continue with the processing, based on the compelling legitimate grounds outlined within the GDPR; and
inform individuals of the outcome of their objection.

Make sure you have identified whether any of your processing operations constitute automated decision making under Article 22 of the GDPR and have procedures in place to deal with the requirements.

carry out a Data Protection Impact Assessment (DPIA) to identify whether any of your processing operations constitute solely automated decision making with significant effects ;
establish whether you can rely on one of the GDPR exceptions for the processing and keep a record of it;
identify the appropriate condition if you are processing special category personal data and keep a record of it;
ensure you inform individuals about the processing in your privacy information;
introduce a process for individuals to obtain an explanation of the decision and request a review; and
implement procedures and safeguards to address the risks involved with this type of processing.

GDPR Compliance Checklist section 4: Accountability and governance

Your organisation has an appropriate data protection policy.

You should have a standalone policy statement or general staff policy that:

sets out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance;
aligns with and covers the measures within this checklist as a minimum;
management approve and you publish and communicate to all staff; and
you review and update at planned intervals or when required to ensure it remains relevant.

Monitor your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

establish a process to monitor compliance to the policies;
regularly test the measures that are detailed within the policies to provide assurances that they continue to be effective;
ensure that responsibility for monitoring compliance with the policies is independent of the persons implementing the policy, to allow the monitoring to be unbiased; and
report any results to senior management.

Provide data protection awareness training for all employees.

provide induction training on or shortly after appointment;
update all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
provide specialist training for staff with specific duties, such as marketing, information security and database management.

Make sure you have written contract with any processors you use.

ensure that you have a written contract in place whenever you use a processor (a natural or legal person or organisation which processes personal data on your behalf);
check both new and existing contracts in force include certain specific terms, as a minimum, to ensure that data processing meets the requirements of the GDPR;.
outline in the contract the technical and organisational arrangements the processor must have in place;
include arrangements for security of processing, keeping records of processing activities, and notification of data breaches;
refer to the Data Processing Agreement article to clarify responsibilities and liabilities, and to help you draft new contracts and amend existing ones;
add all agreements to special register of data processing agreements to be sure you have covered all of your third parties.

Ensure an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.

ensure that any data you transfer outside the EU complies with the conditions for transfer set out in Chapter V of the GDPR;
ensure that you have adequate safeguards and data security in place, that is documented in a written contract using standard data protection contract clauses; and
implement measures to audit any documented security arrangements on a periodic basis.

Manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

have a clearly communicated set of security policies and procedures, which reflect business objectives and assign responsibilities to support good information risk management;
ensure that you have processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and information (risk register); and
apply controls to mitigate the risks you’ve identified within agreed appetites and regularly test these controls to ensure they remain effective.

Implement appropriate technical and organisational measures to integrate data protection into your processing activities.

look to continually minimise the amount and type of data you collect, process and store, such as by undertaking regular information and internal process audits across appropriate areas of the business;
consider pseudonymising the personal data where appropriate to render the data record less identifying and therefore reduce concerns with data sharing and data retention;
reflect technical and organisational security measures in your records of processing activities;
regularly undertake reviews of your public-facing documents, policies and privacy notice(s) to ensure they meet the renewed transparency requirements under the GDPR;
ensure any current and/or new processes or systems enable you to comply with an individual’s rights under the GDPR; and
create, review and improve your data security features and controls on an ongoing basis.

Understand when you must conduct a DPIA and has processes in place to action this.

establish a policy which sets out when you should conduct a DPIA, who will authorise it and how it will be incorporated into the overall project plan. A DPIA screening process may be a useful tool in determining whether a DPIA is required;
assign responsibility for completing DPIAs to a member of staff who has sufficient control over the project to effect change eg Project Lead/Manager;
where a DPIA is required, ensure you complete the process before beginning the project;
ensure your process for completing a DPIA includes consultation with the DPO/ data protection lead, data processors, third party contractors and with the public/their representatives in most cases;
ensure the information contained within the DPIA complies with the requirements under the GDPR and that you detail the results within a report;
where a DPIA indicates that the processing would result in a high risk and you are unable to mitigate those risks by reasonable means, ensure your business consults with the Data protection Authority in your country prior to commencing processing.

Read more in in our Data protection Impact assessment guide.

Make sure you have a DPIA framework which links to your existing risk management and project management processes.

review your existing risk and project management processes and ensure there is consistency and links with your DPIA processes in place;
drive awareness of DPIAs across your business, and particularly amongst risk and project teams so that they understand the requirements; and
ensure DPIA documentation is readily available for staff to use and that you have trained them on how to conduct the assessment.

If required, appoint a DPO. In other cases, nominate a data protection lead.

designate responsibility for data protection compliance to a suitable individual;
support the appointed individual through provision of appropriate training;
ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
register the details of your DPO with the Data protection Inspectorate of your country; and
document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.

Make sure decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

clearly set out your business’s approach to data protection and assign management responsibilities;
ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
assess and identify areas that could cause data protection or security compliance problems and record these on your business’s risk register;
deliver training which encourages personal responsibility and good security behaviours; and
run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.

GDPR Compliance Checklist section 5: Security and breach prevention

Create an information security policy supported by appropriate security measures.

develop, implement and communicate an information security policy;
ensure the policy covers key information security topics such as network security, physical security, access controls, secure configuration, patch management, email and internet use, data storage and maintenance and security breach / incident management;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with your security policy;
implement periodic checks for compliance with policy, to give assurances that security controls are operational and effective; and
deliver regular staff training on all areas within the information security policy.

Make sure you have an effective process to identify, report, manage and resolve any personal data breaches.

train staff how to recognise and report breaches;
have a process to report breaches to the appropriate individuals as soon as staff become aware of them, and to investigate and implement recovery plans;
put mechanisms in place to assess the likely risk to individuals and then, if necessary, notify the breach to the Data Protection Authority and inform affected individuals;
monitor the type, volume and cost of incidents to identify trends and help prevent recurrences; and
conclude a breach register and document all breaches there, even if you don’t need to report them.

Source ICO

The post GDPR compliance checklist for controllers appeared first on GDPR Register | Compliance tool for privacy experts.

GDPR Basics: Are you a Controller or a Processor?

Aleksander Uibo — Tue, 08 Sep 2020 12:23:10 +0000

What are ‘controllers’ and ‘processors’?

With this short and simple article, we will try to explain the basics of controllers and processors.

Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

Processors act on behalf of, and only on the instructions of, the relevant controller.

How do you determine whether you are a controller or processor?

You should be able to differentiate between controllers, joint controllers and processors so you understand which GDPR obligations apply to which organisation.

To determine whether you are a controller or processor, you will need to consider your role and responsibilities in relation to your data processing activities.

If you exercise overall control of the purpose and means of the processing of personal data – ie, you decide what data to process and why – you are a controller.

If you don’t have any purpose of your own for processing the data and you only act on a client’s instructions, you are likely to be a processor – even if you make some technical decisions about how you process the data.

What does it mean if you are a controller?

Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s) and should have signed relevant agreements with them. Those could be depending on circumstances Data Processing Agreement, Standard Contractual Clauses, etc.

Supervisory authorities and individuals may take action against a controller regarding a breach of its obligations.

What does it mean if you are a processor?

Processors do not have the same obligations as controllers under the GDPR. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR.

Both supervisory authorities and individuals may take action against a processor regarding a breach of those obligations.

What does it mean if you are joint controllers?

Joint controllers must arrange between themselves who will take primary responsibility for complying with GDPR obligations, and in particular transparency obligations and individuals’ rights. They should make this information available to individuals.

However, all joint controllers remain responsible for compliance with the controller obligations under the GDPR. Both supervisory authorities and individuals may take action against any controller regarding a breach of those obligations.

Other useful resources on this subject: ICO, EU

The post GDPR Basics: Are you a Controller or a Processor? appeared first on GDPR Register | Compliance tool for privacy experts.

Templates for Records of Processing Activities

Aleksander Uibo — Fri, 09 Aug 2019 09:32:54 +0000

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our experience, we have seen a lot of different formats and approaches. Often such spreadsheets don’t respond to GDPR Article 30 requirements or not detailed enough.

Here are examples of the most common challenges our customer were facing before joining with GDPR Register:

Wrong definition of processing activities (defining processes or systems instead of processing activities)
Lack of overview of data as spreadsheet became too long
Reporting to authorities and/or business partners takes too long and there is a high risk of mistakes
Multiple sheets for management of multiple companies and not having an overview of what is done and what’s not
No overview over Data processing Agreements and hard to understand what data and activities are related to with processing contract

In contrast to a GDPR Register’s approach is basing on templates, which provide a good starting point if you do it from scratch and extensive tool for standardisation of your corporate compliance documentation. Having the possibility of reusing templates of processing activities between all managed companies and organisations, creation of customized templates, we get to great overview and a clear understanding of what is happening within the managed area.

Below you can find a list of most common examples of our templates..

Examples of templates for records of processing activities

Website and Social Media

Events, games, contests and campaigns
Social Media
Surveys
Mobile app administration
Facebook “Like” button on the website
Chatbot – unauthenticated visitors
Chatbot – authenticated visitors
Google Universal Analytics with IP Anonymization

Employees, HR and Accounting

Employees payroll
Employees sick leave administration
Employees database
Employees training
Employees physical access to working premises
Employees video surveillance
Employees on social media
Employees injured during the work accident
Employees on website
Employees location data
Employees’ children
Employees medical review
Employees family relations
Job Applicants Recruitment

Customer operations

Customer invoicing
Customer marketing campaigns
Customer debt management
Customer loyalty card management
Customer direct marketing by e-mail
Customer payment processing
Customer feedback management
Customer orders management
Customer profiled direct marketing by e-mail
E-commerce client administration (without an account)
E-commerce client administration (with account)
E-commerce customer profile analysis

Finance and Insurance

Customer Due Diligence (KYC)
Customer Creditworthiness Assessment
Customer Credit File
Challenging Payment Defaults
Insurance contract administration
Insurance fraud prevention
Customer’s insurance risk assessment
Payments to insurance beneficiaries
Broker agreements management

Travel and Hospitality

Greeting services
Hotel reservation management
Restaurant reservation
SPA Services
Wi-Fi Service
Tourist Visa service
Travel Agency’s service to a customer
Travel Agency’s service to a customer through a representative
Travel insurance service

Would you like to find out more?

The post Templates for Records of Processing Activities appeared first on GDPR Register | Compliance tool for privacy experts.

Web plug-in requires visitor’s consent

Aleksander Uibo — Mon, 05 Aug 2019 12:32:10 +0000

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind their data protection responsibilities when using plugins on their websites.

This case concerns the German company FashionID, which had a Facebook plug-in installed on its website. In addition, the program transmitted personal data to Facebook without the visitor being aware of it, regardless of whether they have a Facebook account or have pressed the “Like” button.

In its ruling, the court explained that in such a situation the website owner is jointly responsible with Facebook for the personal data collected and sent to Facebook. The website owner is not responsible for the subsequent processing of personal data by Facebook alone.

The court found that FashionID could be considered a joint controller with Facebook since FashionID and Facebook jointly determine the means and purposes of the data processing operations when assessing the collection and transfer of personal data. Using the Facebook plug-in on a website allows FashionID to optimize the promotion of its products, making them more visible and providing a clear business advantage. This shows that using the plug-in is in the economic interest of both FashionID and Facebook.

The court explained that the website must obtain the user’s consent before sending personal data to Facebook unless a legitimate interest is used as a basis for the processing. Such consent must be separate and specific to such data processing operation.

Websites send personal information to Facebook already at the time of page loading, before the user can opt-out. However, data protection rules require consent before sending personal data through plug-ins to third parties. Such consent can be added to the cookie message bar and an explanation of the services to which the personal information is transmitted. In this case, the consent request is clear and transparent. It is also possible to set up plug-ins so that they do not send information until the visitor of the web site has given their consent, i.e., clicking on the cookie banner.

Do you use Facebook “Like” button? We have created Facebook “Like” button processing activity template in GDPR Register. Subscribe for a 14-day trial to see it.

The post Web plug-in requires visitor’s consent appeared first on GDPR Register | Compliance tool for privacy experts.

First GDPR fine issued in Lithuania

Sarune Zybartaite — Sat, 25 May 2019 09:31:03 +0000

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’, a company that provides financial operation services globally, was fined 61,500 EUR in respect of GDPR Articles 5, 32 and 33 relating to improper processing of personal data in instant screen images (screenshots).

Improper processing of personal data

Of the company’s images, 9000 were found to contain personal details and payment session copies of customers of 12 different banks in different countries. It was also found that ‘Mister Tango’ processes an extensive amount of personal data that is not stated in its privacy policy, which violates GDPR Art. 5.

Furthermore, for at least 2 days the list of processed payments showing customers’ data was visible online. Disclosure of personal data is treated as a personal data breach and must be reported within 72 hours (GDPR Art. 33). However, VDAI was not informed about the incident.

Data Protection Authority investigation

Before deciding to impose the fine, the VDAI considered all the factors relative to whether or not ‘Mister Tango’ acted to the best of its abilities in making sure that data processing was transparent, compliant and secure.

VDAI concluded that ‘Mister Tango’ doesn’t have the necessary technical and organisational security measures in place to ensure the required level of safety, including protection against unauthorised processing or disclosure (GDPR Art.32).

The VDAI’s decision has not yet come into force and can be appealed against through the court.

The original source: Įmonės atsakomybės neišvengs – Lietuvoje skirta ženkli bauda už Bendrojo duomenų apsaugos reglamento pažeidimus

GDPR Register | Compliance tool for privacy experts

Direct marketing rules and exceptions under the GDPR

Newsletters and direct marketing to the customer

Service notifications

Profiled direct marketing

Providing similar products or services in the context of a customer relationship

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach?

In what circumstances do you need to report a data breach?

Breach Register will be launched soon

Reporting the breach to Data Protection Authority

Notifying Data Subjects about the Data Breach

Should Processor report a Data Breach?

Stop wasting time on spreadsheets and get into control of your compliance documentation

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities?

Which companies are obliged to keep records of processing activities?

How to store records of data processing activities?

What exactly has to be documented?

Save your time, get things done!

Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

European Data Protection Supervisor

Austria

Belgium

Bulgaria

Croatia

Cyprus

Czech Republic

Denmark

Estonia

Finland

France

Germany

Greece

Hungary

Ireland

Italy

Latvia

Lithuania

Luxembourg

Malta

Netherlands

Poland

Portugal

Romania

Slovakia

Slovenia

Spain

Sweden

Iceland

Liechtenstein

Norway

Data Processing Agreement (DPA)

What is a DPA?

Why businesses need Data Processing Agreement?

Do I need to have a Data Processing Agreement?

Controller

Processor

Sub-processor

Joint Controller

What should be included in a data processing agreement?

Details about processing

Minimum required terms

The processor must act in accordance with written instructions of the controller

Confidentiality of processed personal data

Obligation to have adequate information security in place, technical and organisational measures to be met

The requirement to use sub-processors only with the data controller’s knowledge and consent

Cooperation of processor for the purpose of resolving subject access requests

Cooperation of processor for the purpose of protecting the rights and privacy of data subjects

Duration of the processing and returning and/or deletion of personal data

The processor should allow the data controller to carry out audits examining their compliance

Other requirements

Need registry of data processing agreements?

GDPR compliance checklist for controllers

GDPR Compliance Checklist section 1: Data mapping and records of processing activities

Conduct information audit to map personal data flows

Document what personal data you hold, where it came from, who you share it with and what you do with it.

Identify your lawful bases for processing and documented them.

GDPR Compliance Checklist section 2: Actions basing on specific legal bases