Is the data Controller exercising control from outside EU? Article 26,27
  • In which country/ies is/are the EU Designated Controller(s)?
  • What is their relationship with the external Controller?
  • What is their relationship with the Data Subjects?
  • Do we have processes, in place, to ensure that: Article 24,25
  • We can show that we have moved our processes in line with IT’s evolution
  • We can show we have dynamic processes in place to track the state-of-the-art and modify our processing accordingly
  • We can show that we implement data-protection principles, such as data minimisation, in an effective manner
  • We can show how we integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR
  • We can demonstrate an appropriate set of policies
  • [ok for now but need to revisit – also need to consider duplication with next sub-box?]
  • Even if we [the controller] controls the Processor, we probably need to ask: Article 28
  • Do we have a ‘written contract’ with the processing organization?
  • Does the Contract precisely state what the processing consists of?
  • Do we completely understand the Processors’ data storage arrangements?
  • Do we have a copy of the Processor’s approved code of conduct?
  • Do we permit the Processor to make any decisions at all in managing the data?