Annex
Most important obligations of the
GDPR
At a very high level, these are the most important
GDPR requirements:
1. Organisational requirements
1.1 Accountability, Art. 5 Sec. 2
Companies must be able to prove full compliance with
their obligations under the GDPR. In order to document
the lawfulness of their processing activities, companies
must have appropriate measures and records in place.
These must be constantly updated.
1.2 Records of Data Processing Activities, Art. 30
Records of processing activities under the company’s
responsibility must be maintained in most cases.
These records shall generally contain the following
information:
■
Name and contact details of the company and its
data protection ocer;
■
The purposes of the processing;
■
A description of the categories of data subjects and
of the categories of personal data;
■
The categories of recipients to whom the personal
data have been or will be disclosed including recipi-
ents in third countries or international organisations;
■
Transfers of personal data to a third country and the
documentation of suitable safeguards;
■
Envisaged time limits for erasure of the dierent
categories of data;
■
A general description of the technical and
organisational security measures
1.3 Data Protection Impact Assessment (DPIA),
Art. 35, 36
Where a data processing activity is likely to result in a
high risk to the rights and freedoms of natural persons,
the company shall, prior to the processing, carry out an
assessment of the impact of the envisaged processing
operations. Companies should consider the regulators’
guidelines listing scenarios that always require DPIAs.
If such assessment indicates a high risk that the
company cannot mitigate, the supervisory authority
shall be consulted.
1.4 Data Processors, Art. 28
Companies may use internal or external service
providers to process personal data. These data
processors will process personal data on behalf and
under the instructions of the company. Both parties are
subject to their own data protection obligations under
the GDPR. As an additional compliance requirement,
the parties must conclude a Data Processing
Agreement that specifies their obligations and
allocates responsibilities for the contracted processing
activity.
1.5 Data Protection Officer, Art. 37-39
An independent, reliable and knowledgeable data
protection officer must be appointed in case the
company’s core activities consist of
■
Processing operations which require regular and sys-
tematic monitoring of data subjects on a large scale:
or
■
Processing on a large scale of special categories of
personal data (e.g. health, religion, race, sexual ori-
entation etc.) and personal data relating to criminal
convictions and oences.
■
A group of undertakings may appoint a single data
protection ocer provided that he/she is easily
accessible from each establishment. Local laws may
require the implementation of data protection of-
ficers in additional cases (e.g. in Germany). Thus, one
global data protection ocer steering data protec-
tion EU-wide may prove helpful in order to cope with
diering EU-wide regulations.
1.6 Implementation of Technical and
Organisational Security Measures, Art. 32
Appropriate and reasonable state of the art technical
and organisational measures (TOMs) must be
implemented in order to protect the personal data.
1.7 Data Breach Notifications, Art. 33, 34
In case of personal data breaches with risks to rights
and freedoms of the data subjects, the supervisory
authority shall generally be informed within 72 hours
after the company became aware of the breach. In
case of high risks for the data subjects, they generally
also must be informed about the breach. Compliance
with the notification obligation in the envisioned
time period requires a proper internal data breach
procedure.
Step Plan GDPR Implementation