-
Without transparency, data subjects cannot properly exercise rights
-
Identify all forms of data collecting to provide information timely
-
Check if information covers all relevant aspects of GDPR art. 13 & 14
If you are not the one to use them, at least you have seen long GDPR clauses with information about data processing, privacy policy etc. These should contain all information required by GDPR art. 13 or 14, depending on if you collect information from data subject, or from other sources.
Why such information must be provided? Because without it, data subject would be unable to exercise rights and control his or her data. In case the data are collected from other sources, in many cases data subject would not know that your organization acquired it at all.
So GDPR standard is transparency that gives data subject broad scope of control. Information must be provided upon collection, and if data are obtained from other sources – upon first contact with data subject or first disclosure of data, but no later than within a month. It includes controller’s and if designated – its EU representative’s and data protection officer’s contact details, listing all purposes of processing, its legal basis as well as controller’s or third party’s legitimate interests pursued. Information should also cover data sharing: to what recipients data will be disclosed and in case of data transfers outside the European Economic Area – what are their legal basis and safeguards.
The data subject needs to know for how long the data will be stored and what are his or her rights. Data subject must be informed if providing data is required, what is the source of requirement and what would be the consequences of not providing data. Also, if data are used for automated decision-making of legal or other significant effects, its logic and possible consequences should be described. Finally, if data are collected from other sources, inform data subject about that source and data categories obtained.
Next: GDPR staff training 13/17 – what is the sense of consents to data processing?
Table of contents:
GDPR staff training 1/17 – preview
GDPR staff training 2/17 – how do you approach data protection right now?
GDPR staff training 3/17 – why protect data at all?
GDPR staff training 4/17 – what are personal data?
GDPR staff training 5/17 – what is personal data processing?
GDPR staff training 6/17 – who processes personal data?
GDPR staff training 7/17 – how personal data should be processed?
GDPR staff training 8/17 – what are your roles & responsibilities?
GDPR staff training 9/17 – why the need to know principle is so important?
GDPR staff training 10/17 – what difference can you make?
GDPR staff training 11/17 – how do you approach data protection right now?
GDPR staff training 12/17 – why provide information on data processing?
GDPR staff training 13/17 – what is the sense of consents to data processing?
GDPR staff training 14/17 – what to include in and how to apply contracts?
GDPR staff training 15/17 – what to include in & how to apply contracts?
GDPR staff training 16/17 – how to handle data subject requests?
GDPR staff training 17/17 – wrap-up
Self-implement GDPR in 16 steps:
Complete data protection system – A-Z course & templates