Content library
Processing principles and accountability
Regular self-evaluation of the lawfulness of processing personal data
Privacy
Processing principles and accountability

Regular self-evaluation of the lawfulness of processing personal data

Start free trial

Task description

Regular self-evaluation of the lawfulness of processing personal data

GDPR defines six main legal bases for the lawful processing of personal data. In addition, more strict requirements apply to processing of special groups of personal data. The legal basis must also be communicated to the data subjects in privacy communication. However, not all legal bases adapt to all situations and the application of certain legal bases imposes additional requirements on the controller.

The Data Protection Officer (or other responsible person) helps to develop the lawfulness of the processing by assessing the legal bases for the different purposes in cooperation with the units carrying out the processing and on the basis of data protection communications.

Requirements connected to the task

6. Lawfulness of processing
General Data Protection Regulation
9. Processing of special categories of personal data
General Data Protection Regulation
TSU-07: Käsittelyn lainmukaisuus
Julkri: TL IV-I
TSU-07.3: Käsittelyn lainmukaisuus - Erityiset henkilötietoryhmät
Julkri: TL IV-I

Other tasks from the same security theme

Task name
Priority
Policy
Other requirements
Data store listing and owner assignment
Critical
High
Normal
Low
Processing principles and accountability
44
requirements

Examples of other requirements this task affects

Članak 30.1.i (Imovina): Upravljanja programskom i sklopovskom imovinom
NIS2 Croatia
9.5 §: Suojattavan omaisuuden hallinta
Kyberturvallisuuslaki
9.3.1: Data processing activities management
TISAX
1.3.1: Identification of information assets
TISAX
9.5.1: Management of data transfer
TISAX
See all related requirements and other information from tasks own page.
Go to >
Data store listing and owner assignment
Personnel guidelines for safe processing of personal and confidential data
Critical
High
Normal
Low
Processing principles and accountability
29
requirements

Examples of other requirements this task affects

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
11.2.8: Unattended user equipment
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Personnel guidelines for safe processing of personal and confidential data
Records of processing activities -report publishing and maintenance
Critical
High
Normal
Low
Processing principles and accountability
7
requirements

Examples of other requirements this task affects

30. Records of processing activities
GDPR
A.7.2.8: Records related to processing PII
ISO 27701
TSU-01: Käsiteltävien henkilötietojen tunnistaminen
Julkri
TSU-21: Seloste käsittelytoimista
Julkri
61: Seloste käsittelytoiminnasta
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Records of processing activities -report publishing and maintenance
Documentation of personal data processing purposes for data stores
Critical
High
Normal
Low
Processing principles and accountability
20
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
30. Records of processing activities
GDPR
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documentation of personal data processing purposes for data stores
Executing and documenting data protection impact assessments
Critical
High
Normal
Low
Processing principles and accountability
9
requirements

Examples of other requirements this task affects

35. Data protection impact assessment
GDPR
36. Prior consultation
GDPR
A.7.2.5: Privacy impact assessment
ISO 27701
TSU-16: Tietosuojariskien hallinta
Julkri
TSU-17 : Tietosuojan vaikutustenarviointi
Julkri
See all related requirements and other information from tasks own page.
Go to >
Executing and documenting data protection impact assessments
Defining and documenting retention times for data sets
Critical
High
Normal
Low
Processing principles and accountability
16
requirements

Examples of other requirements this task affects

21 §: Tietoaineistojen säilytystarpeen määrittäminen
TiHL
5. Principles relating to processing of personal data
GDPR
18.1.3: Protection of records
ISO 27001
PR.IP-6: Data destruction
NIST
A.7.4.2: Limit processing
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting retention times for data sets
Implementation and documentation of balance tests
Critical
High
Normal
Low
Processing principles and accountability
5
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
21. Right to object
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
TSU-07: Käsittelyn lainmukaisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Implementation and documentation of balance tests
Documentation of conditions of consent for relevant processing purposes
Critical
High
Normal
Low
Processing principles and accountability
8
requirements

Examples of other requirements this task affects

7. Conditions for consent
GDPR
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.2.3: Determine when and how consent is to be obtained
ISO 27701
A.7.2.4: Obtain and record consent
ISO 27701
A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documentation of conditions of consent for relevant processing purposes
Purpose limitation of processed, customer-owned data in offered cloud services
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.3.1: Public cloud PII processor’s purpose
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Purpose limitation of processed, customer-owned data in offered cloud services
Getting a proper consent for potential commercial utilization purposes of customer-owned data
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.3.2: Public cloud PII processor's commercial use
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Getting a proper consent for potential commercial utilization purposes of customer-owned data
Process for safe destruction of temporary files and data from data systems
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

A.5: Data minimization
ISO 27018
A.5.1: Secure erasure of temporary files
ISO 27018
A.8.4.1: Temprorary files
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Process for safe destruction of temporary files and data from data systems
Consent condition review
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

A.7.2.4: Obtain and record consent
ISO 27701
P2.1: Communication of choices about personal information to data subjects
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Consent condition review
Limiting marketing and advertising use of personal data processed under a contract
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.3: Marketing and advertising use
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Limiting marketing and advertising use of personal data processed under a contract
Restriction of processing for personal data processed on behalf of a customer
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.2: Organization's purposes
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Restriction of processing for personal data processed on behalf of a customer
Informing of infringing processing instructions
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.4: Infringing instruction
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Informing of infringing processing instructions
Collection and documentation of explicit consents
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

P3.2: Additional measures when processing requires explicit consent
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Collection and documentation of explicit consents
Data privacy statement process
Critical
High
Normal
Low
Processing principles and accountability
0
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Data privacy statement process
Privacy-related codes of conduct and certification
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
TSU-15: Osoitusvelvollisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Privacy-related codes of conduct and certification
Regular self-evaluation of the lawfulness of processing personal data
Critical
High
Normal
Low
Processing principles and accountability
5
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
9. Processing of special categories of personal data
GDPR
TSU-07: Käsittelyn lainmukaisuus
Julkri
TSU-07.3: Käsittelyn lainmukaisuus - Erityiset henkilötietoryhmät
Julkri
See all related requirements and other information from tasks own page.
Go to >
Regular self-evaluation of the lawfulness of processing personal data
Processing of personal data related to criminal convictions and offenses
Critical
High
Normal
Low
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

10. Processing of personal data relating to criminal convictions and offences
GDPR
TSU-01.1: Käsiteltävien henkilötietojen tunnistaminen - Erityiset henkilötietoryhmät tai rikostuomioihin ja rikoksiin liittyvät tiedot
Julkri
TSU-07.4: Käsittelyn lainmukaisuus - Rikostuomioihin ja rikoksiin liittyvät henkilötiedot
Julkri
See all related requirements and other information from tasks own page.
Go to >
Processing of personal data related to criminal convictions and offenses
Processing of a child's personal data in connection with the provision of information society services based on consent
Critical
High
Normal
Low
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

8. Conditions applicable to child's consent in relation to information society services
GDPR
See all related requirements and other information from tasks own page.
Go to >
Processing of a child's personal data in connection with the provision of information society services based on consent
Identifying and complying with additional requirements related to automated decision-making
Critical
High
Normal
Low
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

A.7.3.10: Automated decision making
ISO 27701
TSU-20: Automatisoidut yksittäispäätökset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Identifying and complying with additional requirements related to automated decision-making

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Start free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.
Effortless compliance improvement
Widest framework library in EU
Extensive support

Start your compliance journey

Use in MS Teams or use your browser with Slack integration.
Risk free trial. No credit card required. Stop at any time.

Start free 14-day trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templates
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementPrivacy managementVendor assessments
Resources
AcademyWebinarsBlogHelp articlesVideo coursesContent libraryGuidesNewsletterLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security