Frequently Asked Questions

Yes as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, rather than you having to create a new post

Yes you can contract out the role of DPO, based on a service contract with an individual or an organisation The externally-appointed DPO should have the same position, tasks and duties as an internal DPO

Have you collected and stored the appropriate and necessary consent of the Data Subject?
  • For data processing
  • For data storage
  • To facilitate data-subject rights
  • To know if a breach has occurred
  • While ensuring that withdrawal of consent is as easy as giving it.
    Corporations can only use it for purposes that are
  • pre-defined
  • explicit
  • with the full agreement of the individual in advance
  • Have you informed the Data Subject?
  • Why we need the data specified
  • All processing that will be enacted upon it
  • When we will destroy or re-consent the data
  • Where we sourced the data
  • Precisely with whom we will send or 'share' the data
  • About their rights of access and how to effect that
  • Even if we [the controller] controls the Processor, we probably need to ask: Article 28
  • Do we have a ‘written contract’ with the processing organization?
  • Does the Contract precisely state what the processing consists of?
  • Do we completely understand the Processors’ data storage arrangements?
  • Do we have a copy of the Processor’s approved code of conduct?
  • Do we permit the Processor to make any decisions at all in managing the data?
  • Is the data Controller exercising control from outside EU? Article 26,27
  • In which country/ies is/are the EU Designated Controller(s)?
  • What is their relationship with the external Controller?
  • What is their relationship with the Data Subjects?
  • Do we have processes, in place, to ensure that: Article 24,25
  • We can show how we protect the rights of data subjects
  • We can show that only personal data which are necessary for each specific purpose of the processing are processed
  • We can show how this applies to the amount of personal data collected, the extent of their processing
  • We can justify the period of their storage and the data accessibility
  • Have you informed the Data Subject?
  • Of their different rights to “object” in various ways to, or to prevent, our different types of processing, and the automated or other methods available to them to exercise these rights
  • Of the right to be excluded from profiling and how
  • How to secure human attention to their concerns
  • If any limitations to their rights apply
  • Do we have processes, in place, to ensure that: Article 24,25
  • We can show that we have moved our processes in line with IT’s evolution
  • We can show we have dynamic processes in place to track the state-of-the-art and modify our processing accordingly
  • We can show that we implement data-protection principles, such as data minimisation, in an effective manner
  • We can show how we integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR
  • We can demonstrate an appropriate set of policies
  • [ok for now but need to revisit – also need to consider duplication with next sub-box?]