The Privacy Policy is the public document that explains how your project processes personal data and how it applies data protection principles, according to articles 12-14 of the GDPR. All data subjects must have access to this Privacy Policy. It should be documented.
A non-official, but recommendable template can be found here: https://gdpr.eu/wp-content/uploads/2019/01/Our-Company-Privacy-Policy.pdf
Checklist. Privacy Policy
- Contact the office/person who is keeping the records of processing for your organization.
- If necessary, your Data Protection Officer can help establish the contact.
- Inform them early on that you intend to process personal data.
- Your processing activity needs to be entered in the records before processing starts.
- Follow their instructions of
- what information you need to provide for the records of processing,
- when you need to send updates of this information.
Additional documentation pertaining to a single processing activity.
The following items must be documented:
- Assessment whether the processing activity likely results in a high risk to the rights and freedoms of natural persons.
- A Data Protection Impact Assessment where the above assessment yields an affirmative result.
- Potential consultation of the competent supervisory authority prior to processing.
- Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure.
- Implemented technical and organizational measures.
- Regular testing, assessing and evaluating the effectiveness of technical and organizational measures.
- Requirements and acceptance tests for the selection of processors.
- Contracts stipulated with processors.
- Possible inspections and audits of the processor.
- Method to collect consent.
- Demonstrations of individual expressions of consent.
- Information provided to data subjects.
- Implementation of data subject rights.
- Actual handling of data subject rights.
- Possible breach notifications to the competent supervisory authority.
- Possible communication of data breaches to concerned data subject.
- Any other communication with the competent supervisory authority.
|