if your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. It is possible for your organisation to have both roles. Use the filter below to view only the relevant checklist items for your organisation.
This list is far from a legal exhaustive document, it merely tries to help you overcome the struggle.
Feel free to contribute directly on GitHub!
Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it
This is a list of the actual types (columns) of information being held (eg Name, social security nr, address,..). For each type, a source should be documented, the parties this information is shared with, the purpose of the information and the duration for which the company will keep this information.
Reference:
Your company has a list of places where it keeps personal information and the ways data flows between them
This could be a list of databases (eg Mysql), but it could also include offline datastores (paper).
Reference:
Your company has a publicly accessible privacy policy that outlines all processes related to personal data.
You should include information about all processes related to the handling of personal information. This document should include (or have links to) the types of personal information the company holds, and where it holds them.
Reference:
Your privacy policy should include a lawful basis to explain why the company needs to process personal information
It should contain a reason for data processing, eg the fulfillment of a contract.
Reference:
Your company has appointed a Data Protection Officer (DPO)
A DPO is only required in three scenarios: (1) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (2) the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or (3) the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10. If a DPO is required, the DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.
Reference:
Create awareness among decision makers about GDPR guidelines
Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.
Reference:
Make sure your technical security is up to date.
For SaaS software companies, use the SaaS CTO security checklist as a starting point below.
Reference:
Train staff to be aware of data protection
A lot of security vulnerabilities involve cooperation of an unwitting person with access to internal systems. Make sure your employees are aware of these risks.
Reference:
You have a list of sub-processors and your privacy policy mentions your use of this sub-processor
You should inform your customers of the use of any sub-processor. They should consent by accepting your privacy policy.
Reference:
If your business operates outside the EU, you have appointed a representative within the EU.
If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.
Reference:
You report data breaches involving personal data to the local authority and to the people (data subjects) involved
Personal data breaches should be reported within 72 hours to the local authority. You should report what data has been lost, what the consequences are and what countermeasures you have taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.
Reference:
There is a contract in place with any data processors that you share data with
The contract should contain explicit instructions for the storage or processing of data by the processor. The contract should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. For example, this could include a contract with your hosting provider. The same contract requirements apply when a processor engages a sub-processor to assist it in fulfilling processing activities on behalf of the controller
Reference:
Your customers can easily request access to their personal information
If you do not already have a process defined for this, we've made an easy online form below.
Reference:
Your customers can easily update their own personal information to keep it accurate
If you do not already have a process defined for this, we've made an easy online form below.
Reference:
You automatically delete data that your business no longer has any use for
You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.
Reference:
Your customers can easily request deletion of their personal data
If you do not already have a process defined for this, we've made an easy online form below.
Reference:
Your customers can easily request that you stop processing their data
If you do not already have a process defined for this, we've made an easy online form below.
Reference:
Your customers can easily request that their data be delivered to themselves or a 3rd party
If you do not already have a process defined for this, we've made an easy online form below.
Reference:
Your customers can easily object to profiling or automated decision making that could impact them
This is only applicable if your company does profiling or any other automated decision making. If you do not already have a process defined for this, we've made an easy online form below.
Reference:
Where processing is based on consent, such consent must be freely given, specific, informed, and revocable
If your website collects personal information in some way, you should have an easily visble link to your privacy policy and confirm that the user accepts your terms and conditions. Consent requires an affirmative action, so pre-ticked boxes are not permitted.
Reference:
Your privacy policy should be written in clear and understandable terms
It should be written in clear and simple terms and not conceal it's intent in any way. Failing to do so could void the agreement entirely. When providing services to children, the privacy policy should be easy enough for them to understand.
Reference:
It should be as easy for your customers to withdraw consent as it was to give it in the first place
If you do not already have a process defined for this, we've made an easy online form below.
Reference:
If you process children's personal data, verify their age and ask consent from their legal guardian
For children younger than 16, you need to make sure a legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the legal guardian (and not by the child).
Reference:
When you update your privacy policy, you inform existing customers
for example, by emailing upcoming changes of your privacy policy. Your communication should explain in a simple way what has changed.
Reference:
You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.
You should follow up on best practies and changes to the policies in your local environment. Sign up at the bottom of this page to receive major updates to this list.
Reference:
Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.
This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.
Reference:
You should only transfer data outside of the EU to countries that offer an appropriate level of protection
You should also disclose these cross-border data flows in your privacy policy.
Reference:
Right to receive transparent information, communication and modalities for the exercise of your rights.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by you, the information may be provided orally, provided that your identity is proven by other means.
Reference:
Right to receive specific information when your personal data are collected from you directly.
This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. 2) The contact details of the data protection officer, where applicable. 3) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. 4) Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party. 5) The recipients or categories of recipients of the personal data, if any. 6) Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
Reference:
Right to receive specific information when your personal data are not collected from you directly.
This information is : 1) The identity and the contact details of the controller and, where applicable, of the controller’s representative. 2) The contact details of the data protection officer, where applicable. 3) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing. 4) The categories of personal data concerned. 5) The recipients or categories of recipients of the personal data, if any. 6)Where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
Reference:
Right of access: You have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, where that is the case, access to your personal data.
You also have to right to access the following information: 1) The purposes of the processing. 2) The categories of personal data concerned. 3) The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. 4) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period. 5) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing. 6) The right to lodge a complaint with a supervisory authority. 7) Where the personal data are not collected from the data subject, any available information as to their source. 8) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Reference:
Right to rectification: You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.
Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Reference:
Right to erasure: You have the right to obtain from the controller the erasure of your personal data without undue delay.
The controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies: 1) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. 2) The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing. 3) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2). 4) The personal data have been unlawfully processed. 5) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. 6) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Reference:
Right to restriction of processing: You have the right to obtain from the controller restriction of processing.
This right applies in the following situations: 1) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. 2) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead. 3) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. 4) The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Reference:
Right to be notified regarding rectification or erasure of your personal data or restriction of processing: The controller shall communicate any rectification or erasure of your personal data or restriction of processing.
This right is carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform you about those recipients if you requests it.
Reference:
Right to portability: You have the right to receive your personal data, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which your personal data have been provided.
This processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and the processing is carried out by automated means.
Reference:
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Reference:
Right not to be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
This does not applies if the decision: 1) is necessary for entering into, or performance of, a contract between the data subject and a data controller. 2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. 3) is based on the data subject’s explicit consent.
Reference:
The information above is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.