1. Principles & Lawfulness of Processing
Personal data shall be:
Processing shall be lawful only if and to the extent that at least one of the following applies:
Processing of sensitive Personal Data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless one of the following applies:
2. Data Subject Rights
(unless the Data Subject already has this information)?
Your Organisation must provide the following information:
[See relevant exceptions]
3. General Obligations
In order to ensure that your Organisation has considered its privacy obligations and is implementing such in the performance of the processing of personal data, your Organisations must have data protection policies in place that regulate different aspects of the processing operations.
Your Organisation must take into account the state of art, costs and the nature, scope and context of processing in order to determine what is appropriate to the risks involved. Security covers organisational (i.e. people, processes) and technical measures, which can include Pseudonymisation, Encryption, Ensuring ongoing integrity, confidentiality, availability and resiliency, and the ability to restore in a timely manner, amongst others.
Employees and Authorised Persons who handle personal data of other Employees or Customers (such as RCi’s employees, agents and authorised persons) must receive training in order to ensure that they handle such in accordance with GDPR.
Your Organisation should keep a record of training and provide update and refresher training
The notification must involve details about the nature of the breach, likely consequences and mitigations being taken to address it.
Does your Organisation have technical and organisational measures in place to enable it to notify the Data Subject of the occurrence of a personal data breach where this is of high risk to the rights of the Data Subject concerned?
4. Personal Data Processors and Data Transfers
In this case, this relationship shall be governed by a written contract must satisfy the minimum requirements imposed under the GDPR. Your Organisation must also ensure that it has received 'sufficient guarantees' from its data processors that such processors can implement measures (technical and organisational) to meet the requirements of the GDPR.
The approved transfer mechanisms are as follows:
(Article 44- 49)