1. Make sure that the data that you received was collected legitimately and that the individuals concerned have been informed about the processing of their personal data.
2. In case a third party is processing personal data on your behalf, make sure you have a controller-processor contract, which details the processing operations and means to process personal data.

And of course, comply with all the obligations of controllers.

More information:

• Data controller or data processor

Publishing the names of the winners of a competition on your website could be considered as a legitimate interest, if you can prove this by carrying out a balancing test to determine whether your legitimate interests outweigh individuals’ right.

A good practice would be to set up an internal procedure in which the rules on publishing personal data of winners are explained.

In addition, the processing of personal data for these purposes should be part of the competition’s privacy policy, so that participants are informed in advance about how their data is going to be processed.

More information:

• Process personal data lawfully

Yes, your clients must be informed, when they make a telephone call, of the purposes of the recording, the recipients of the recordings, of their right to object and their right to access the recordings.

More information:

• Process personal data lawfully

The necessary security measures can differ based on the nature of the personal data you process and the associated risks to individuals. In any case, there are some minimum measures you should put into place:

• secure access to the premises;
• use regularly updated antivirus software;
• carefully choose your passwords;
• make users authenticate themselves before using the computer facilities;
• have a data back-up and retrieval policy in place in case of an incident.

In addition, some basic measures such as locking your screen while you are away and locking up the office at the end of the day are never out of place...

More information:

• Secure personal data

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

More information:

• Respect individuals’ rights

No, the processing of sensitive data is generally prohibited, except under very specific circumstances:

• The individual has given their explicit consent for their sensitive data to be processed.
• The processing of sensitive data is necessary for the data controller to fulfil their obligations, specifically in the context of employment, social security and social protection. For example, the data controller may need to process a person’s sensitive data to be able to determine if they are entitled to certain social security benefits or employment stipends.
• The processing of sensitive data is necessary to protect the vital interests of a person where the individual is physically or legally incapable of giving consent. For example, if an individual is left unconscious as a result of an accident and requires immediate medical care, their health data may need to be processed for the appropriate medical care to be delivered.
• The processing of sensitive data is carried out in the context of the legitimate activities of a foundation, association or other non-for-profit organisation with a political, philosophical, religious or trade union aim, and only for the processing of the personal data of their members, former members or persons having regular contact with them.
• The sensitive data was manifestly made public by individual.
• The processing of sensitive data is necessary in the context of legal proceedings.
• The processing of sensitive data is necessary for matters of substantial public interest.
• The processing of sensitive data is necessary in the context of preventive or occupational medicine. For example, assessing an individual’s sensitive data, such as their medical data, may be necessary to determine their working capacity as an employee.
• The processing of sensitive data is necessary for matters of public health on the basis of EU or national law. For example, processing individuals’ sensitive data may be necessary to ensure a high quality of health care and a high quality of medical products, or to combat serious health threats, such as viruses.
• The processing of sensitive data is necessary for matters of archiving purposes in the public interest, or for scientific or historical  research purposes, or statistical purposes. For example, processing sensitive data may be necessary to provide accurate statistics on a country’s situation in a particular field. 

More information:

• Process personal data lawfully

The appointment of a DPO is mandatory in the following three cases:

• the organisation is a public authority;
• the organisation’s core activities consist in regular and systematic monitoring of individuals on a large scale, for example geolocation via a mobile application, or surveillance of shopping centres and public spaces through CCTV;
• the organisation’s core activities consist in large-scale processing of sensitive data  or personal data relating to criminal convictions and offences.

You can always appoint a DPO on a voluntary basis, even if this is not legally required. Please note that in that case, you must comply with all the provisions of the GDPR concerning the tasks and position of the data protection officer.

More information:

• Data Protection Officer

Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information. Cookies serve a number of important functions, including remembering  users and their previous interactions with a website. They can be used to keep track of items in an online shopping cart or to keep track of information when details are inserted into an online application form.

Authentication cookies are also important to identify users when they log into banking services and other online services. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.

The GDPR imposes obligations on all organisations that process personal data, regardless of whether they are data controllers or data processors.

In particular, you should:

• Ask yourself if the purpose for which personal data may be collected is justified, and collect only personal data that is necessary for the specific purpose(s) envisaged;
• Keep individuals’ personal data accurate and up to date, and delete the data when it is no longer necessary;
• Respect individuals’ rights by informing them about how and why their data are processed, and allowing them to exercise their rights;
• Check if you have an appropriate legal basis for the processing of personal data. In case you intend to rely on the consent of individuals, ask for their consent before processing their personal data;
• Make sure that individuals’ personal data is handled in a secure way;
• Maintain a record of processing operations.

Data processors will have to adhere to the responsibilities set out in the controller-processor contract, and they must not process the data otherwise than according to the controller’s instructions.

More information:

• Be compliant
• Data controller or data processor
• Data protection basics