GDPR Compliance Checklist

Personal data shall be:

1. Processed lawfully, fairly and in a  transparent manner in relation the data subject;
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date; every reasonable  step must be taken to ensure that personal data are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
6. Processed in a manner that ensures appropriate security of the personal data

(Article 5)

Processing shall be lawful only if and to the extent that at least one of the following applies:

1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligations to which the controller is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller;
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller  or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

{Article 6}

Processing of sensitive Personal Data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless one of the following applies:

1. Data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Data Controller or the Data subject in the field of employment and social security and social protection law;
3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
4. Processing relates to personal data which are manifestly made public to the data subject;
5.  Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
6.  Processing is necessary for reasons of substantial public interest;
7. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health of social care or treatment or the management of health or social care systems and services;
8. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care;
9. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

(Article 9)

• Was the Consent freely given?
• Is the Consent presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language?
• Has the Data Subject been informed of his/her right to withdraw Consent?
• Can your Organisation demonstrate that Consent was obtained?

(Article 7)

(unless the Data Subject already has this information)?

Your Organisation must provide the following information:

1. The identity and contact details of the Organisation;
2. The contact details of the Data Protection Officer, where applicable;
3. The purposes of the processing for which the personal data re intended as well as the legal basis for the processing;
4. Where the processing is based on legitimate interests, what such interests are;
5. The recipients of categories of personal data, if any;
6. Where applicable, the fact that your Organisation intends to transfer personal data to a third country or international organisation;
7. Retention period or the criteria used to determine that period;
8. Existence of right of access, right to rectification, right to erasure, right to restriction, right to object, right to data portability;
9. Where processing is based on consent, the right to withdraw consent at any time;
10. The right to lodge a complaint with a supervisory authority;
11. The existence of automated decision-making, including profiling and the meaningful information about the logic involved;
12. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

(Article 13)

[See relevant exceptions]

Your Organisation must provide the following information:

1. The identity and contact details of the Organisation;
2. The contact details of the Data Protection Officer, where applicable;
3. The purposes of the processing for which the personal data re intended as well as the legal basis for the processing;
4. The categories of personal data concerned;
5. Where the processing is based on legitimate interests, what such interests are;
6. The recipients of categories of personal data, if any;
7. Where applicable, the fact that your Organisation intends to transfer personal data to a third country or international organisation;
8. Retention period or the criteria used to determine that period;
9. Existence of right of access, right to rectification, right to erasure, right to restriction, right to object, right to data portability;
10. Where processing is based on consent, the right to withdraw consent at any time;
11. The right to lodge a complaint with a supervisory authority;
12. From which source the personal data originate;
13. The existence of automated decision-making, including profiling and the meaningful information about the logic involved.

(Article 14)

(Article 15)

(Article 16)

(Article 17)

(Article 18)

(Article 20)

(Article 21)

(Article 22)

In order to ensure that your Organisation has considered its privacy obligations and is implementing such in the performance of the processing of personal data, your Organisations must have data protection policies in place that regulate different aspects of the processing operations.

(Article 5)

1. the name and contact details of the controller and the data protection officer (if one is appointed);
2. the purposes of the processing;
3. a description of the categories of data subjects and of the categories of personal data;
4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
5. transfers of personal data to a third country or an international organisation, including the name of the country or international organisation and, the documentation of the safeguards for the transfer (i.e. based on consent, necessary to perform a contract, public interest);
6. where possible, the envisaged time limits for erasure of the different categories of data;
7. where possible, a general description of the technical and organisational security measures.

(Article 30)

Your Organisation must take into account the state of art, costs and the nature, scope and context of processing in order to determine what is appropriate to the risks involved. Security covers organisational (i.e. people, processes) and technical measures, which can include Pseudonymisation, Encryption, Ensuring ongoing integrity, confidentiality, availability and resiliency, and the ability to restore in a timely manner, amongst others.

(Article 32)

Employees and Authorised Persons who handle personal data of other Employees or Customers (such as RCi’s employees, agents and authorised persons) must receive training in order to ensure that they handle such  in accordance with GDPR.

Your Organisation  should keep a record of training and provide update and refresher training

(Article 29)

The notification must involve details about the nature of the breach, likely consequences and mitigations being taken to address it.

Does your Organisation have technical and organisational measures in place to enable it to notify the Data Subject of the occurrence of a personal data breach where this is of high risk to the rights of the Data Subject concerned?

(Article 33,34)

In this case, this relationship shall be governed by a written contract must satisfy the minimum requirements imposed under the GDPR. Your Organisation must also ensure that it has received 'sufficient guarantees' from its data processors that such processors can implement measures (technical and organisational) to meet the requirements of the GDPR.

(Article 28)

The approved transfer mechanisms are as follows:

1. A country which has a finding of adequacy from the European Commission;
2. Binding corporate Rules;
3. Standard Contractual Clauses as approved by the European Commission;
4. With the consent of the data subject;
5. The transfer is necessary for the performance of a contract with the data subject;
6. The transfer is in the public interest;
7. The transfer is necessary to establish, exercise or defend legal claims;
8. The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent.

(Article 44- 49)