These checklists have not been revised and validated externally. Nonetheless, PANELFIT strongly considers them as adequate for the purpose that these Guidelines are aimed at.
Design phase checklist
| Step |
| ☐ Identify the goal(s) of the activity |
| ☐ Assess if the activity amounts to ‘research’ |
| ☐ Identify the roles of the research team and other stakeholders |
| ☐ Confirm that processing biometric data is necessary to reach the goal(s) of the activity |
Preparation phase checklist
| Step |
| ☐ Assess if one of the five requirements for a DPO apply |
| ☐ If public authority, check if DPO can be nominated by another public authority |
| ☐ Publish the contact of the DPO |
| ☐ Identify if data collection will occur directly from the data subjects or indirectly |
| ☐ Assess if you are eligible for an exemption from the obligation to inform the data subject |
| ☐ Record the assessment of the eligibility for an exemption from the obligation to inform |
| ☐ Define an internal process to ensure the accuracy of the data processed |
| ☐ Identify if exemptions to the processing of special categories of personal data apply |
| ☐ If additional law is required, verify its existence. If none, identify another exemption |
| ☐ If exemptions apply, identify the legal basis for the data processing as per Article 6 GDPR |
| ☐ If rely on consent, make sure it is explicit |
| ☐ Keep a record of consent forms |
| ☐ Create a repository of documents, which contains at least the documents mandated by GDPR |
| ☐ Assess if the processing introduces high risk to the rights and freedoms of natural persons |
| ☐ Record the results of the preliminary assessment |
| ☐ If the processing introduces high risks, perform a DPIA |
| ☐ If risks are not mitigated by the envisaged measures, implement additional adequate measures |
| ☐ If risks are not mitigated and it is not possible to implement additional measures, consult with supervisory authority |
| ☐ Record the results of the DPIA |
Execution phase checklist
| Step |
| ☐ Process data applying safeguards and precautions set during the Preparation phase |
| ☐ In case of ICT system development, ensure the data subject can access necessary information through appropriate user interface |
| ☐ In case of ICT system development, assess the risks for the data subjects related to every function of the system |
| ☐ Record the result of the assessment of risks related to system functions |
| ☐ If risks cannot be mitigated, consult with supervisory authority or do not implement |
| ☐ Keep in mind use cases involving vulnerable subjects |
| ☐ In case of ICT system testing, assess if testing the system configures a different processing from developing the system |
| ☐ Record the result of the assessment about testing as a different processing |
| ☐ If testing the system configures a different processing, assess if purpose is compatible |
| ☐ Record the result of the compatibility test |
| ☐ Assess if dissemination of the outcome involves disseminating personal data and special categories of personal data as well |
| ☐ Identify exemptions to processing special categories of personal data prior to the dissemination |
| ☐ Identify the most appropriate legal basis to process personal data prior the dissemination |
| ☐ Designate recipients as Data processors |
| ☐ Inform data subjects of the data transfer |
| ☐ Check if data transfer is international |
| ☐ If transfer is international, and no derogations apply, identify an instrument for transfer |
| ☐ Assess if lawful to retain personal data |
| ☐ Record the result of the assessment on the lawfulness of data retention |
| ☐ If unlawful to retain personal data, delete or anonymize them |