Controller

External Controller

Alan2017-09-22T11:16:15+00:00Is the data Controller exercising control from outside EU? Article 26,27

In which country/ies is/are the EU Designated Controller(s)?

What is their relationship with the external Controller?

What is their relationship with the Data Subjects?

Responsibility of the controller – Data protection by design and by default

Alan2017-09-22T11:14:23+00:00Do we have processes, in place, to ensure that: Article 24,25

We can show that we have moved our processes in line with IT’s evolution

We can show we have dynamic processes in place to track the state-of-the-art and modify our processing accordingly

We can show that we implement data-protection principles, such as data minimisation, in an effective manner

We can show how we integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR

We can demonstrate an appropriate set of policies

[ok for now but need to revisit – also need to consider duplication with next sub-box?]

Do we know EXACTLY what and where all ‘Processing’ is / is taking place?

Alan2017-09-22T11:13:17+00:00Even if we [the controller] controls the Processor, we probably need to ask: Article 28

Do we have a ‘written contract’ with the processing organization?

Does the Contract precisely state what the processing consists of?

Do we completely understand the Processors’ data storage arrangements?

Do we have a copy of the Processor’s approved code of conduct?

Do we permit the Processor to make any decisions at all in managing the data?