Listing of Data Protection Requirements Under Regulation EU 2016/679 (GDPR) on the Protection

Listing of data protection requirements under Regulation EU 2016/679 (GDPR) on the protection of personal data.

Status check list

Background a. Regulation will be implemented iin May 2018. b. Beyond informing data controllers and processors on the categories of infringements, this list takes the opportunity to raise awareness on a series of checks which are to be conducted by controllers and processors before the implementation of the GDPR. For this purpose, examples of infringements in practice (Column 4) inform us on what not to do in order to foresee remedies (Column 5). c. Beyond point b), Column 4 provides on the long term reminders to controllers and processors, Privacy team and Compliance team in the form of a set of requirements. d. In order to guide us through our GDPR project, a simple RAG system, i.e.: Red Amber Green, (Column 6) indicates the state of play of each category (Column 3) and remedies (Column 5). e. Red means that no action so far was taken, Amber means that an action has started/is under way, Green means that the action has been implemented.

N° Cat Examples of possible infringements Potential remedy ego ry 1 Basi  Although a purpose has been defined, data are processed for a c different or secondary purpose. prin  Data are processed in bulk without being assessed in light of cipl proportionality and necessity. es  Data are not kept accurate. for  Data are processed for a longer period than it is necessary. pro  No step has been created to allow rectification or erasure. ces sing 2 Basi  The processing is implemented under a legal basis not referred in c Art.6. prin  The processing is implemented without a legal basis. cipl  A third party uses the personal data without clear instructions from N° Cat Examples of possible infringements Potential remedy ego ry es the data controller. for pro ces sing La wfu lne ss 3 Basi  Data controller cannot prove that he/she has processed data subjects c consent prin  The format under which consent is acquired is misleading or not in an cipl intelligible manner es  The Data controller has not allowed the possibility for the data for subjects to revoke their consent pro ces sing Con diti ons for con sen t 4 Chil  In communication and/or promotion services and products, dre COMPANY does not check whether parental authorisation was duly n acquired via its services (social media, applications…). con  In communication and/or promotion services and products COMPANY sen does not set specific provisions with its contractor to manage the t in process of minors’ data. info rma tion soci ety ser vice s 5 Basi  Sensitive data are processed without consent, purpose or a legitimate c interest. prin  The processing does not fit within the 10 exceptions provided in cipl Art.9.2 (i.e.: a) to j)) es  COMPANY processes criminal records or data related to criminal for records without proper safeguards/authorisation. pro ces sing N° Cat Examples of possible infringements Potential remedy ego ry Spe cial cat ego ries of per son al dat a 6 Pro ces sing whi ch doe s not req uire ide ntifi cati on 7 Dat  The controller does not specify the data processing in a concise, a transparent, intelligible and easily accessible form, using clear and sub plain language. ject  The controller takes too much time to reply (> 1 month) to a data s subject query related to a data processing. righ  In the case where the request is unfounded or excessive, the ts controller does not demonstrate the manifestly unfounded or Tra excessive character of the request. nsp  Information and policies are published in bulk are ncy and info rm ati on 8 Dat  Information provided to the data subjects does not fulfil the a requirements under Art.13.1 and 13.2 sub  No information is provided or kept up to date. ject  In the case where COMPANY intends to extends the data processing, s COMPANY has not published updated information to data subjects righ prior to this extension ts N° Cat Examples of possible infringements Potential remedy ego ry Inf or ma tio n to be pro vid ed 9 Dat  Information provided to the data subjects does not fulfil the a requirements under Art.14.1 and 14.2. sub  No information is provided or kept up to date. ject s righ ts Inf or ma tio n to be pro vid ed 10 Dat  Data controller is not able to address confirmation to a data subject as a to whether or not personal data concerning him or her are being sub processed. ject  Data controller does not give, or partially, access to the information s listed under Art.15.1. righ  Data controller does not give a copy of the personal data undergoing ts processing. Rig ht of acc ess 11 Dat  Data controller is not granting rectification to personal data with a sufficient motivation. sub  Data controller grants rectification within an unreasonable delay. ject  Data controller does not follow up with the request. s righ ts Rig ht N° Cat Examples of possible infringements Potential remedy ego ry to rec tific ati on 12 Dat • Data controller is not granting erasure to personal data with a sufficient motivation. sub • Data controller grants erasure within an unreasonable delay. ject  Data controller refuses on an ill-founded basis (i.e.: outside of the s exceptions of Art.17.3) or does not motivate enough its refusal under righ these exceptions. ts Rig ht to era sur e 13 Dat • Data controller is not granting restriction to personal data with a sufficient motivation. sub • Data controller grants restriction within an unreasonable delay. ject  Following restriction to the processing, the controller still s processes personal data in opposition with data subject consent as per righ Art.18.2 ts Rig ht to rest ricti on 14 Dat  Data controller is not motivating its refusal or partial refusal with a relevant, accurate, understandable and clear basis and explanation in sub a clear language. ject  Data controller omits to notify the data subjects of its refusal to grant s a right. righ ts Not ific ati on reg ard ing Art. 16, 17 N° Cat Examples of possible infringements Potential remedy ego ry and 19 15 Dat  Data controller is not granting portability of personal data with a sufficient motivation. sub  Data controller transmits personal data with hindrance. ject  Data controller submits the data but in an unreadable format to the s data subject. righ ts Rig ht to por tab ility 16 Dat  Data controller is not granting objection to the processing of personal a data with sufficient motivation. sub  Data controller grants objection within an unreasonable delay. ject  Data controller still processes personal data although right to object to s the processing has been lodged by the data subject. righ ts Rig ht to obj ect 17 Dat  For automated decision making to the processing of his persona data, a the data subject is to be granted the right not to be processed. sub  Data controller has the burden of proof related to the collection of ject data subject consent to proceed with the automated decision. s  Data controller should set adequate safeguards to proceed with the righ automated decisions. ts Obj ect to aut om atic dec isio n ma kin g 18 Res  Data controller restricts illegitimately a data subject rights under tric Art.23.1.a) to j) N° Cat Examples of possible infringements Potential remedy ego ry tion  Data controller does not analyse such restrictions with the s to fundamental interest of the data subject (test of proportionality and dat necessity) a sub ject s righ ts 19 Res  Data controller does not set adequate safeguards to the processing pon  Data controller does not review its safeguards on a regular basis sibil  Data controller does not document its safeguards and is in no position ity to demonstrate them to the authorities and data subjects of the con trol ler 20 Priv  The Data controller does not set appropriate and adequate safeguards acy before the implementation of the data processing. by  The safeguards do not meet the criteria of Data protection principles, desi such as proportionality necessity and lawfulness. gn  By default, the data controller processes more data than it should be. and  The Data controller does not regularly review and revise the def safeguards after implementation of the data processing. ault 21 Join  Lack of clarification regarding the role, responsibility and t arrangements between two or more data controllers. con trol lers 22 Con  COMPANY needs to publicly announce a representative in the EU trol ler and pro ces sors out side of the EU 23 Rol  The Data controller does not verify that the processor is guaranteeing e of the security/safety of the processing the  No provision has been set between the Data controller and the pro (external) processor through a contract. ces N° Cat Examples of possible infringements Potential remedy ego ry sor  The contract does not include binding provisions in light of Art. 28.3 requirements.  No Contractual clauses are being used.  No checks on the processor for on existing Code of Conduct or a Certification was done by the Controller. 24 Rec  Controller must maintain a record of processing - ord  Record must contain information under Art.30.1 s of  Similarly for a processor - pro  Record is not public but can be requested by a Data Protection ces Authority - sing  The records (i.e.: a register of processing) is not reviewed, maintained acti and updated accordingly by the Data Controller and the processor. - viti es 25 Coo  The Data controller or the processor replies to the DPA within an per unreasonable time atio  The Data controller or the processor does not reply to the DPA. n wit h Nat ion al Dat a Pro tect ion Aut hori ties (DP A) 26 Sec  The Data controller and the processor do not set security measures urit which remedy with the risks provided by Art.33.1 y of  The security measures are manifestly too weak in light of accidental or pro unlawful destruction, loss, alteration, unauthorised disclosure of, or ces access to personal data transmitted, stored or otherwise processed. sing 27 Not  The Data controller notifies a breach to the DPA after 72 hours - ific deadline atio  The Data controller omits to notify a data breach to the DPA n of  The Data controller does not inform the DPO or the DPA with the a requirements set in Art.33.3 bre ach to N° Cat Examples of possible infringements Potential remedy ego ry DP A 26 Co  When the personal data breach is likely to result in a high risk to the mm rights and freedoms of natural persons, the Data controller does not uni communicate the personal data breach to the data subject. cati  The Data controller communicates the breach but with unreasonable on delay. of a bre ach to dat a sub ject s 27 Dat  The Data controller does not conduct a DPIA as per Art.35.3 a indications and pro  The Data controller does not seek advice from the DPO. tect  The Data controller leaves the DPO to do the DPIA on its behalf. ion imp act ass ess me nt 28 Prio  In the case where the DPIA demonstrated a high risks or where r remedy could not be found, the Data controller does not prior check con its findings with the DPA sult  The Data controller implements the processing before receiving atio opinion from the DPA. n wit h the DP A 29 Des  No DPO is in place at COMPANY - ign  Its contact details are not publicly available. atio  The DPO cannot be contacted by several means n of a DP O and po wer N° Cat Examples of possible infringements Potential remedy ego ry s 30 Cod  The Code does not integrate the requirements of Art.40.2 - es  COMPANY violates the Code of conduct it adhered to of Con duc t 31 Cer  Following certification, COMPANY does not respect its commitment - tific under this certification atio  Following certification, COMPANY does not check if its processors n adhere to the same level of this certification. 32 Tra  Transfers to third countries and international organisations are nsf conducted without proceeding with safeguards, analysis and due care er in light of the Regulation requirements (e.g.: BCRs, Standard of contractual clauses, decisions, contract and provisions…) per son al dat a 33 Tra  A transfer is made to unlisted countries/organisations which do not nsf appear in the list of countries and organisations of the Commission er (where an Adequacy decision has been established at international of level) without relevant safeguards. per son al dat a Ad equ acy dec isio n 34 Tra  A transfer is made with safeguards which do not fit the requirements nsf under Art.46.2. er of per son al dat a Ap pro pri N° Cat Examples of possible infringements Potential remedy ego ry ate saf egu ard s 35 Tra  The data controller or processor proceeds to a transfer under a nsf judgement which is not based on an international agreement, such as er a mutual legal assistance treaty, in force between the requesting third of country and the Union. per son al dat a Jud ge me nt 36 Tra  A transfer is made under one of the 7 derogations of Art.49 without nsf concrete motivations and explanations er  A transfer is made but none of the 7 derogations of Art.49 has been of used as a motivated basis. per son al dat a Der oga tio ns

*Not (yet) applicable – To be determined