Which GDPR Requirements Do You Need to Meet?
e Europ
KirkpatrickPrice
Innovation. Integrity. Delivered.
Requirements for Data Controllers: Article 24 - Responsibility of the Controller ❒
❒
Processing Operations that Require Data Protection Impact Assessment as Designated by Supervisory Authority
Demonstrate Appropriate Technical and Organizational Measures to Ensure Processing Compliance
❒
❒
❒
Required Information for a Data Protection Impact Assessment
Ensure Processing Compliance
❒
Seeking Data Subject or Data Subject Representative Views
Policy Documentation of Technical and Organizational
❒
Exceptions to Data Protection Impact Assessment Requirement
Review and Update Technical and Organizational Measures to
Based on Law
Measures Article 25 - Data Protection by Design and Default ❒
Change in Risk to Previous Data Protection Impact Assessment
Article 36 - Prior Consultation
Implementation and Processing ❒
❒
Appropriate Technical and Organizational Measures at ❒
Consulting Supervisory Authority Prior to High Risk Processing
❒
Required Content for Consulting with Supervisory Authority
Default Data Collection Measures to Obtain Minimum Necessary Data for Specific Purposes
Article 26 - Joint Controllers ❒
Identification and Defined, and Agreed Upon
Requirements for Data Processors:
Responsibilities ❒
Joint Controller Arrangements Reflecting Roles and Relationships
❒
Notify Data Subjects of Joint Controller Arrangements
Article 34 - Communication of a Personal Data Breach to
Article 28 - Processor ❒
Organizational Measures to Controllers
the Data Subject ❒
Communication of a Personal Data Breach to the Data Subject
❒
Identification of High Risk Data Breaches and Communication to Data Subjects within Required Timeframes
❒
Clear and Plain Language of Breach Notifications to Data Subjects
❒
Exceptions to Data Subject Communication Requirements
❒
Data Breach Notification to Subjects Based on Supervisory Authority Request
Processor Guarantee of Appropriate Technical and
❒
Written Authorizations for Processor to Engage Other Processors
❒
Inform Controller of Changes to Other Processors
❒
Binding, Written Contracts with Required Elements
❒
Standard of Data Protection of Other Processors
❒
Application of Standard Contract Clauses
Article 29 - Processing Under the Authority of the Controller or Processor
Article 35 - Data Protection Impact Assessment ❒
Conduct Data Protection Impact Assessment
❒
Seek Advice of Data Protection Officer
❒
Specific Circumstances Requiring Data Protection Impact
❒
Processing Only Under the Authority of the Controller
Assessment
KirkpatrickPrice
Which GPDR Requirements Do You Need to Meet?
1 of 4
Requirements for Both Data Controllers and Data Processors: Article 2 - Material Scope
❒
Concise, Transparent, Intelligible and Easily Accessible
Information Article 3 - Territorial Scope ❒
Use of Plain Language
Article 5 - Processing of Personal Data ❒
Lawful, Fair, and Transparent
❒
Contained in the Required Formats
❒
Specified, Explicit, and Legitimate Purpose
❒
Facilitating the Exercise of Data Subject Rights
❒
Only Data that is Adequate, Relevant and Necessary
❒
Required Timeframes for: ❒ Facilitating the Exercise of Rights
❒
Data Accuracy
❒
Data Retention
❒
Charging for the Exercise of Rights
❒
Appropriate Security
❒
Verifying Requestor Identity
❒
Demonstrable Compliance
Article 13 - Information to be Provided Where Personal
❒ Not Facilitating the Exercise of Rights
Data is Collected from the Data Subject Article 6 - Processing of Personal Data ❒
Lawful Basis
❒
Additional Processing
❒
Information Required for the Data Subject at Point of Collection
❒
Additional Information Related to Fair Processing
❒
Information Related to Additional Processing Purposes
❒
When the Data Subject Already Received All
Article 7 - Conditions for Consent ❒
Demonstrable Consent in all Cases
❒
Clearly Distinguishable
❒
Withdrawal of Consent
Required Information Article 14 - Information to be Provided Where Personal Data Has Not Been Obtained from the Data Subject
Article 8 - Conditions Applicable to Children ❒
Consent by Parental Figure
Article 9 - Processing Special Categories ❒
Exceptions Justifying Processing
❒
Information Required for the Data Subject
❒
Additional Information Related to Fair Processing
❒
Required Timeframes for Providing Information
❒
Information Related to Additional Processing Purposes
❒
When the Data Subject Already Received All Required Information
Article 10 - Processing Criminal Data Article 15 - Right of Access by the Data Subject Article 11 - Processing Not Requiring Personal
❒
Identification
Procedures for Granting Right to Access and Providing Required Information
Article 12 - Transparent Information, Communication and
❒
Information Regarding International Transfers
❒
Providing Copies of Data, Fees, and Formats Information
Modalities for the Exercise of the Rights of the Data Subject
KirkpatrickPrice
Which GPDR Requirements Do You Need to Meet?
2 of 4
Requirements for Both Data Controllers and Data Processors continued: Article 16 - Right to Rectification ❒
Procedures to Rectify Inaccurate Personal Data and Complete
❒
Incomplete Data
Decision-Making
Article 17 - Right to Erasure (“Right to be Forgotten”) ❒
Human Intervention and Right to Object to Automated
❒
Special Categories of Data and Automated Decision-Making
Procedures to Erase Personal Data within Required Timeframes Article 23 - Restrictions
Upon Legitimate Grounds for Erasure ❒
Informing Other Controllers of Erasure Requests
❒
Procedures for Denying Requests for Erasure
❒
Legal Restrictions to Obligations and Rights
❒
Clearly Known, Defined, and Understood Restrictions
Article 27 - Representatives of Controllers or Processors Article 18 - Right to Restriction of Processing
Not Established in the European Union
❒
Procedures for Restricting Processing on Legitimate Grounds
❒
European Union Representative Designated in Writing
❒
Consent for Processing Restricted Data
❒
Applicability of Designated Representative
❒
Prior Notice for Removing Restrictions
❒
Location of Designated Representative
❒
Designated Representative Mandate
Article 19 - Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing ❒
Article 30 - Records of Processing Activities
Procedures for Communicating Rectification or Erasure to
❒
Relevant Third Parties Article 20 - Right to Portability ❒
Maintaining Records of Processing, Including Required Elements, for Controllers
❒
Procedures for Providing Data to Data Subjects in a Structured,
Maintaining Records of Processing, Including Required Elements, for Processors
Commonly Used, and Machine-Readable Format ❒
❒
Record Formats
❒
Availability to Supervisory Authorities
❒
Applicability of Maintaining Records of Processing
Procedures for Transmitting Data to Another Controller
Article 21 - Right to Object ❒
Procedures for Receiving, Assessing, and Complying with Objections to Processing
Article 31 - Cooperation With the Supervisory Authority ❒
Procedures for Receiving Objections to Direct Marketing
❒
Processes for Cooperating with Supervisory Authorities Upon Request
❒
Procedures for Complying with Objections to Direct Marketing
❒
Communicating the Right to Object to the Data Subject at First
Article 32 - Security of Processing ❒
Communication Clearly from Other Communication ❒
Data Processing for Public Interest
Risk Appropriate Technical and Organizational Measures to Ensure Data Security
❒
Evaluate Risk of Accidental or Unlawful Destruction, Loss, Alteration, Unauthorized Disclosure, or Access to Personal Data
Article 22 - Automated Individual Decision-making, Including Profiling
KirkpatrickPrice
❒
Automated Decision Making, Including Profiling
❒
Clear Basis for Automated Decision Making
❒
Consideration and Implementation of Available Approved Codes of Conduct
❒
Personnel Controls to Ensure Only Permitted Processing
Which GPDR Requirements Do You Need to Meet?
3 of 4
Requirements for Both Data Controllers and Data Processors continued: Article 33 - Notification of a Personal Data Breach to the
Article 45 - Transfers on the Basis of an Adequacy
Supervisory Authority
Decision
❒
Controller Data Breach Notification Procedures, Including
❒
Required Timeframes ❒
Levels of Protection
Processer Data Breach Notification to Controllers
Article 46 - Transfers Subject to Appropriate Safeguards ❒
❒
Breach Notification Required Content
❒
Further Provision of Information
❒
Identifying Countries, Territories, and Sectors with Adequate
Appropriate Safeguards for Transfers Without an Adequacy Decision
Article 47 - Binding Corporate Rules ❒
Approval of Corporate Rules by Supervisory Authority
❒
Required Content
Documentation of Data Breaches
Article 37 - Notification of a Personal Data Breach to the Supervisory Authority
Article 49 - Tasks of Data Protection Officer
❒
Requirements for Appointing a Data Protection Officer
❒
Exemptions from International Transfer Mechanism Requirements
❒
Data Protection Officer for Group of Undertakings
❒
Assessment of Exemptions and Safeguards
❒
Data Protection Officer for Group of Public Authorities
❒
Documentation of Assessment and Safeguards
❒
Qualifications of Data Protection Officer
❒
Internal Employee or Contractor
❒
Publication and Communication of Contact Information of Data Protection Officer
Article 38 - Position of Data Protection Officer ❒
Involvement of Data Protection Officer in Relevant Matters
❒
Adequate Resources for Data Protection Officer
❒
Independence of Data Protection Officer
❒
Processes for Data Subjects to Contact Data Protection Officer
❒
Secrecy and Confidentiality of Data Protection Officer Tasks
❒
Other Duties for Data Protection Officer and Conflict of Interest
Article 39 - Tasks of Data Protection Officer ❒
Mandatory Tasks of Data Protection Officer
❒
Regard for Risk
Article 44 - Tasks of Data Protection Officer ❒
KirkpatrickPrice
Compliance with Principles
Which GPDR Requirements Do You Need to Meet?
4 of 4