12 new national NIS2 framework versions published! Read more ->
Cyberday back to normal - related blog
With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.
Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:
Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.
We have planned procedures for handling data subject requests, which may include e.g.:
In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:
We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:
Understanding data sources is important for understanding data flow. In addition, data protection communications shall be able to communicate the sources of personal data in cases where the data have not been collected directly from the data subject himself.
The organization must define procedures for informing the controller of all processors of personal data before processing begins.
The notification shall include the data processed by the processors and the purposes for which they process the data.
The organization must have clear procedures for situations where the organization is required by law to disclose personal information to the authorities. In addition, a list must be kept of these individual data disclosures.
The organization shall pay particular attention to the communication of these situations and the timing of the communication to interested customers, unless this is illegal due to, for example, an ongoing investigation or other legal matter.
These practices must be describeable to interested customers upon request. Procedures and reporting obligations must be described, e.g. contracts for offered digital services.
When personal data is processed on the basis of the data subject's consent, the organization should provide data subjects with a clear process for editing or withdrawing their consent. Editing may also mean limiting the processing of personal data, which may affect the controller's right to delete the data in question.
The process should include recording requests for editing in a way similar to recording consent. Changes to consent must be communicated to all relevant data systems, authorized users and third parties. The process should also define the response time in which the requests should be processed.
N.b.! Different jurisdictions may have restrictions on how and when the data subject can modify their consent.
Data subjects should be offered a clear means by which they can object to the processing of personal data.
The implementation method for objecting to processing may vary, but it should be in line with the way of using the service offered (e.g. in online services, objecting to processing should also be possible online).
Registrants should be offered a mechanism by the organization to view and correct their personal data.
The organization should have pre-planned procedures for situations where third parties need to be notified of changes, deletions and prohibitions regarding shared personal data.
These parties can be, for example, partners who process data or organizations to which personal data has been disclosed forward.</p>
The organization must be able to provide the data subject with a copy of the personal data being processed at the data subject's request.
The organization must plan in advance a process by which a copy of the personal data can be delivered in a structured and commonly used format and securely to the data subject.
Toimiessaan yhteisrekisterinpitäjänä organisaatio määrittelee läpinäkyvällä järjestelyllä muiden yhteisrekisterinpitäjien kanssa rekisterinpitäjien velvoitteiden noudattamisesta sekä rekisteröityjen informoinnista.
Organisaatio voi esimerkiksi tehdä sopimuksen eri yhteisrekisteripitäjien kanssa tai dokumentoida kirjallisesti yhteisrekisterinpitäjyyteen liittyvät menettelyt sekä julkaista ne verkossa ja asettaa saataville toimipisteissä.
The organisation has determined the legal basis for the purposes for which the personal data it has identified are used, taking into account the rights of the data subject in relation to that processing.
The data subject cannot exercise all his or her rights in all situations. The rights that may be exercised by the data subject depend on the basis on which the personal data in question are processed. An organisation can make use of guidance from data protection authorities on how the basis of processing affects the available rights. There may also be exceptions to these rights in specific legislation governing the organisation, or it may be possible to refuse to exercise them on strong grounds in individual cases.
The organization has created and communicated to registered users a process through which they can report questions, complaints or disputes related to data protection.
The organization has rules of procedure for handling, resolving and communicating issues that come to this channel. Valid issues that arise can be handled, for example, through the general non-conformity management process.
The purposes of the processing of personal data will change as the business develops. Privacy communications should stay up-to-date and reflect the actual state of processing.
We regularly make sure that all processing purposes are mentioned in communications (e.g. privacy statements), that the processing is accurately described, and that communications are provided to data subjects within the required time limits.
Privacy communications should be concise, easy to understand and easily accessible. To develop privacy communications, we test our communications for different uses by providing a snapshot of the privacy communications to a test group selected from among data subjects, and modifying the communications based on their feedback.
The data subject shall have the right to obtain the personal data provided to the controller in a structured, commonly used and machine-readable form and, if he so wishes, to transfer such data to another controller. This can mean, for example, a way to download data added to a web service at a time in a general format (eg XLS, XML, JSON).
The right applies when the following conditions are met:
The right does not cover data that have been generated by the controller himself on the basis of data provided by the data subject (e.g. health assessments) or that have been compiled from the analysis of data generated from the data subject's monitoring (such as profiling).
Our organization is aware of situations where the data subject has the right to transfer their data. We have designed policies for these situations, which may include e.g.:
The organization has defined the ways in which the data subject's understanding of the effects of his consent is ensured.
At least the following points of view are clearly communicated to the data subject:
The organization has defined clear procedures that it follows in informing data subjects when refusing to implement data protection requests (e.g. the right to access or correct data). In these situations, the reasons on which the request was refused must be clearly communicated to the registered.
.png)
