Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.
The documentation shall include at least:
Records of processing activities is a written description of the processing of personal data by the organization.
This report is mandatory if any of the following occurs:
Records must be kept up to date. They also serve as a first-level way of assessing the lawfulness of processing, so it must be provided to the supervisory authority on request.
In Cyberday, records of processing activities is an own report, which is automatically gathered from the data on documentation sections.
The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The organization has identified the purposes of use of personal data where explicit consent is required as the legal basis for processing. In addition, the organization has defined methods for documenting the explicit consents received.
Explicity refers to the unequivocal way in which the data subject expresses his consent. Such consent can be given e.g. by traditional signature of the statement, electronic signature or acknowledgment after two-step identification.
Situations requiring specific identification may include e.g.
It is the responsibility of the organization to notify the customer if the processing instructions seem to violate laws or official requirements.
When an organization offers e.g. digital services to its customer, the contract between the organization and the customer must specify e.g. the goal of the service and the schedule related to its delivery.
The organization must ensure that personal data processed on behalf of the customer is processed only for the purposes stated in the customer's written instructions.
The customer must also be offered the opportunity to verify the organization's operation in relation to the instructions. This ensures that the organization and its subcontractors process personal data only for the purposes indicated by the customer.
The organization should ensure that personal data processed on a contractual basis is not used for marketing or advertising unless there is prior consent from the data subject.
Consent to marketing and advertising cannot be used as a condition for receiving the service.
The organization must regularly review its way of collecting consent from data subjects to ensure that the consent is unambiguous and precise.
Each data system can create temporary files during its normal operations. These can include e.g. roll-back journals or temporary files associated with updates.
Organisation should have documented a certain time period and process, how temporary files and documents must be destroyed. Organisation should also define procedures for recognizing relevant files that are temporary and not used for any operation by the data system anymore.
Data systems used for processing personal data should have a periodic reviewing process to identify unused temporary data for destruction.
Personal data processed under a contract, e.g. when offering a cloud service for a customer, are not to be used for marketing or advertising purposes without a clear consent from the customer that controls the data.
This consent can’t be e.g. demanded as a prerequisite for being able to utilize the offered cloud service.
This requirement is in line with general personal data processing requirements, where all personal data processing must have a clear legal basis. Potential processing must be documented normally.
Personal data in offered cloud services that is processed under a contract can not be processed for any other purpose or differently from customers instructions.
Customer instructions for the data processor can be contained in the contract between the cloud service provider and customer including, e.g. the objective and probable time frame of the service.
If our organization processes personal data based on the consent of the data subject, we must ensure that the conditions for consent are met. The conditions for lawful consent are:
The Data Protection Officer may be responsible for assessing the conditions of consent. It is also important to consider, whether consent is generally appropriate as a legal basis for the corresponding processing.
One of the legal grounds for lawful processing of personal data is the implementation of the data controller or a third party's legitimate interests. To determine when a legitimate interest is justified, a so-called balance test is done to weigh controller or a third party interest against the basic rights of the data subject.
When our processing based on a legitimate interest, we document the implementation of the balancing test and its results so that, if necessary, we can demonstrate that our operations comply with GDPR.
Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:
Describe your own process for evaluating retention periods.
The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.
Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.
The organization should identify the statutory obligations concerning data subjects in relation to decisions concerning data subjects that are based on automated processing (e.g. notifying the data subject of automated decision-making) and ensure that these requirements are met in its own operations.
If our organization provides information society services directly to a child, it is legal to process personal data on the basis of consent if the child is at least 16 years old.
If the child is under the age of 16, such processing is lawful only if and to the extent that the child's parent has given his or her consent or authorization.
Our organization has defined the relevant situations and the procedures to be applied to ensure that consent is obtained from the child's parents, if necessary.
We know whether the processing of personal data involves information related to criminal convictions and violations.
If we process personal data relating to criminal convictions and offenses, we carry out the processing either under the supervision of an authority or the processing must be permitted by Union law / Member State law where appropriate safeguards are in place to protect the data subject's rights and freedoms.
GDPR defines six main legal bases for the lawful processing of personal data. In addition, more strict requirements apply to processing of special groups of personal data. The legal basis must also be communicated to the data subjects in privacy communication. However, not all legal bases adapt to all situations and the application of certain legal bases imposes additional requirements on the controller.
The Data Protection Officer (or other responsible person) helps to develop the lawfulness of the processing by assessing the legal bases for the different purposes in cooperation with the units carrying out the processing and on the basis of data protection communications.
GDPR encourages the introduction of a number of general codes of conduct and certification mechanisms, data protection shields and marks, especially at the European Union level.
The idea behind all of these is to show that the processing is in line with good data processing and data protection requirements. The European Data Protection Council will gather all available certification mechanisms publicly available.
A yearly privacy statement is a voluntary report drawn up by the organization that gives an overall picture of the current status of the organization's personal data processing. The report is intended as a management tool to increase stakeholder confidence that the organization adheres to a good regulatory approach to personal data processing.