These checklists have not been revised and validated externally. Nonetheless, PANELFIT strongly considers them as adequate for the purpose that these Guidelines are aimed at.
Design phase checklist
Step |
☐ Identify the goal(s) of the activity |
☐ Assess if the activity amounts to ‘research’ |
☐ Identify the roles of the research team and other stakeholders |
☐ Confirm that processing biometric data is necessary to reach the goal(s) of the activity |
Preparation phase checklist
Step |
☐ Assess if one of the five requirements for a DPO apply |
☐ If public authority, check if DPO can be nominated by another public authority |
☐ Publish the contact of the DPO |
☐ Identify if data collection will occur directly from the data subjects or indirectly |
☐ Assess if you are eligible for an exemption from the obligation to inform the data subject |
☐ Record the assessment of the eligibility for an exemption from the obligation to inform |
☐ Define an internal process to ensure the accuracy of the data processed |
☐ Identify if exemptions to the processing of special categories of personal data apply |
☐ If additional law is required, verify its existence. If none, identify another exemption |
☐ If exemptions apply, identify the legal basis for the data processing as per Article 6 GDPR |
☐ If rely on consent, make sure it is explicit |
☐ Keep a record of consent forms |
☐ Create a repository of documents, which contains at least the documents mandated by GDPR |
☐ Assess if the processing introduces high risk to the rights and freedoms of natural persons |
☐ Record the results of the preliminary assessment |
☐ If the processing introduces high risks, perform a DPIA |
☐ If risks are not mitigated by the envisaged measures, implement additional adequate measures |
☐ If risks are not mitigated and it is not possible to implement additional measures, consult with supervisory authority |
☐ Record the results of the DPIA |
Execution phase checklist
Step |
☐ Process data applying safeguards and precautions set during the Preparation phase |
☐ In case of ICT system development, ensure the data subject can access necessary information through appropriate user interface |
☐ In case of ICT system development, assess the risks for the data subjects related to every function of the system |
☐ Record the result of the assessment of risks related to system functions |
☐ If risks cannot be mitigated, consult with supervisory authority or do not implement |
☐ Keep in mind use cases involving vulnerable subjects |
☐ In case of ICT system testing, assess if testing the system configures a different processing from developing the system |
☐ Record the result of the assessment about testing as a different processing |
☐ If testing the system configures a different processing, assess if purpose is compatible |
☐ Record the result of the compatibility test |
☐ Assess if dissemination of the outcome involves disseminating personal data and special categories of personal data as well |
☐ Identify exemptions to processing special categories of personal data prior to the dissemination |
☐ Identify the most appropriate legal basis to process personal data prior the dissemination |
☐ Designate recipients as Data processors |
☐ Inform data subjects of the data transfer |
☐ Check if data transfer is international |
☐ If transfer is international, and no derogations apply, identify an instrument for transfer |
☐ Assess if lawful to retain personal data |
☐ Record the result of the assessment on the lawfulness of data retention |
☐ If unlawful to retain personal data, delete or anonymize them |