The appointment of a DPO is mandatory in the following three cases:

• the organisation is a public authority;
• the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
• the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

• Data Protection Officer

A Data Protection Impact Assessment or DPIA is a written assessment that your organisation should make to evaluate the impact of a planned processing operation. It helps you to identify the appropriate measures to address the risks, and to demonstrate compliance.

While it is always preferable to anticipate the impact of planned processing operations of your organisation by doing DPIA, it is compulsory to carry out a DPIA when the processing is likely to result in a high risk for individuals’ rights and freedoms.

Specifically, this is the case when the envisaged processing involves:

• the processing - on a large scale- of sensitive personal data or data related to criminal convictions;  
• a systematic and extensive evaluation of an individual’s personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual in questions or similarly significantly affect individuals;
• systematic monitoring of a publicly accessible area on a large scale.

The EDPB has developed guidelines which list the criteria you need to take into account when assessing whether a DPIA is mandatory or not. Data protection authorities (DPAs) have also published lists of processing operations which are subject to a DPIA. In addition several DPAs have developed guides, software, or self-assessment tools to help you with your assessment.

More information:

• Be compliant

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

More information:

• Be compliant

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

• the purpose of the processing (e.g. customer loyalty);
• the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
• who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
• where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
• where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
• where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

More information:

• Be compliant

Individuals have the right to request erasure of personal data concerning them and in that case, the controller has the obligation to erase the personal data. You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to comply with the request, provided that the individual is informed of this within one month after receiving the request.

It is important to note that the right to erasure is not absolute. It does not apply when the data in question is necessary for:

• exercising the right to freedom of expression and information (e.g. for journalistic purposes);
• compliance with a legal obligation which requires the processing of personal data (e.g. processing records on employees’ work hours);
• reasons of public interest in the area of public health
• archiving purposes in the public interest or scientific or historical research purposes or statistical purposes; and
• the establishment, exercise or defence of legal claims.

When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the individual has requested erasure, unless this proves impossible or would require disproportionate efforts.

More information:

• Respect individuals’ rights

   

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

More information:

• Respect individuals’ rights

Individuals can ask you whether you are processing their data and where it is the case, they have a right to access that data. So when this happens and if you process their data, you should, for example provide a copy of their personal data, free of charge, together with any necessary additional information. Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.

More information:

• Respect individuals’ rights

If your organisation is collecting the personal data directly from individuals, it must provide the necessary information at the time of collection.

In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month can be reduced:

• if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
• if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred. 

More information:

• Respect individuals’ rights

Organisations must, in the case of direct collection of personal data from the individuals concerned, provide information about the processing operations in a concise and transparent way, using understandable, easily accessible and clear and plain language. This can be done in writing (e.g. on the reverse side of a tender) or by electronic means (e.g. on a website). If the person concerned so requests, you may also provide this information orally, but you must be able to prove this afterwards.

Even when the data was collected indirectly, i.e. if you do not directly collect the personal data from an individual yourself, but for example via a third party, you must provide the same detailed information to individuals

The GDPR gives individuals control over the processing of their personal data. In order to do this, transparency is key. This means you have to inform individuals whose data you process about your processing operations and the purposes. In other words, you have to explain who processes their data, but also how and why. Only if the use of personal data is 'transparent' for those involved, can they assess possible risks and make decisions about their personal data.

Under the GDPR you are obliged to share the following information with individuals:

• the identity and contact details of the controller;
• the purposes of the processing;
• the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.)
• the contact details of the controller;
• the contact details of the DPO (if there is a DPO);
• the recipients or categories of recipients of the data;
• Information on whether the data will be transferred outside the European Economic Area (EEA) (where applicable: the existence or not of an adequacy decision or reference to the appropriate safeguards and how this information can be made available to data subjects);
• the categories of personal data processed, when the data is not obtained from the individual.

In addition, the GDPR requires your organisation to provide the following information to ensure fair and transparent processing:

• the retention period or, where this is not possible, the criteria used to determine this period;
• the right to request access, erasure, rectification, restriction, objection and portability of personal data;
• the right to lodge a complaint with a data protection authority;
• if the legal basis for the processing is consent: the right to withdraw consent at any time;
• in the case of automated decision-making, relevant information about the underlying logic and the intended consequences of the processing for the data subject;
• the source of the personal data (if you did not directly receive it from the individual concerned;
• whether the individual is required to provide the personal data (by law or by contract or to enter into a contract) and what the consequences of refusing to provide the data are.

More information:

• Respect individuals’ rights