Pseudonymisation consists in transforming personal data so that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to individual. In practice, it may mean replacing personal data (name, first name, personal number, phone number, etc.) in a data set with indirectly identifying data (alias, sequential number, etc.). Pseudonymised data is still personal data and is subject to the GDPR.

Anonymised data is data that has been rendered anonymous in such a manner that the individual is not or no longer identifiable by any means that are reasonably likely to be used. When the anonymisation is implemented properly, the GDPR no longer applies to the anonymised data.

 

More information:

On the same topic:
Did you find your answer?

The necessary security measures can differ based on the nature of the personal data you process and the associated risks to individuals. In any case, there are some minimum measures you should put into place:

  • secure access to the premises;
  • use regularly updated antivirus software;
  • carefully choose your passwords;
  • make users authenticate themselves before using the computer facilities;
  • have a data back-up and retrieval policy in place in case of an incident.

In addition, some basic measures such as locking your screen while you are away and locking up the office at the end of the day are never out of place...

 

More information:

On the same topic:
Did you find your answer?

No, you do not need to be certified to become a DPO.

DPOs must, however, be able to demonstrate that they have the necessary qualifications required by the GDPR, such as expert knowledge of data protection law and practices.

 

More information:

On the same topic:
Did you find your answer?

DPOs can fulfil other tasks within the organisation, but this cannot result in a conflict of interest. This implies that the DPO cannot have a position in which they determine the purposes and means of the processing activities. Conflicting functions include mainly management positions (chief executive, chief operating, chief financial officer, Head of HR, Head of IT, managing director) but may also involve other functions if they lead to the determination of purposes and means of processing.

The DPO must be able to perform their duties and tasks in an independent manner. This means that your organisation:

  • may not give instructions to the DPO with regard to the performance of their DPO duties;
  • may not penalise or dismiss the DPO for performing their tasks.

 

More information:

On the same topic:
Did you find your answer?

The DPO cannot be held responsible for failure to comply with the GDPR. Compliance with the GDPR is the responsibility of the organisation that appointed the DPO.

More information:

On the same topic:
Did you find your answer?

The DPO can be an existing employee with sufficient knowledge of GDPR (if the professional tasks of the employee are compatible with those of the DPO and this does not lead to conflicts of interest) or an external person. The DPO should be able to carry out tasks independently and should be able to report directly to the highest management.

More information:

 

On the same topic:
Did you find your answer?

The task of the DPO include, among others:

  • to inform and advise the organisation and its employees on data protection compliance;
  • to monitor data protection compliance;
  • to provide advice on requests concerning the data protection impact assessment (DPIA);
  • to act as a contact point for the data protection authority (DPA) and to cooperate with that DPA;
  • to act as a contact point for individuals.

In addition, the DPO’s presence is generally recommended where decisions with data protection implications are taken. The DPO should also be promptly consulted once a data breach or another incident has occurred.

 

More information:

Did you find your answer?

The appointment of a DPO is mandatory in the following three cases:

  • the organisation is a public authority;
  • the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
  • the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

 

More information:

Did you find your answer?

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

  • the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
  • a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
  • systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

Did you find your answer?

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

 

More information:

 

On the same topic:
Did you find your answer?
Subscribe to