The Privacy Policy is the public document that explains how a research project processes personal data and how it applies data protection principles, according to articles 12-14 of the GDPR. All data subjects must have access to this Privacy Policy. It should be documented. A non-official, but recommendable template can be found here: https://gdpr.eu/wp-content/uploads/2019/01/Our-Company-Privacy-Policy.pdf
Controllers must always keep in mind that, in the case of data gathered from social networks, they might end up mixing different datasets or create inferred or derived data. The traceability of the processing, the information about possible re-use of data, and the use of data pertaining to different datasets in either the same or different stages of the life cycle must be ensured by the records. Whoever processes personal data (including both controllers and processors) needs to document their activities primarily for the use of qualified/relevant Supervisory Authorities.This must be done through records of processing activitiesthat aremaintained centrally by the organization across all its processing activities, and additional documentation that pertains to an individual data processing activity (see the “Documentation of processing” subsection in the “Main Actions and Tools” section of the General Part of these Guidelines).
The first stages of the project development are the perfect moment to set up a systematic way of collecting the necessary documentation, since it will be the time when the organization conceives and plans the processing activity[1].
Last but not least, controllers must keep in mind that ethics committees will probably play a key role in personal data processing. However, this might change considerably between sectors and countries. Controllers shall ask their DPO about this topic.
Finally, controllers shall not forget that there might be ethical implications beyond legal compliance. Consultation with an expert in the ethics of social networks is always recommended.
| Checklist. Privacy Policy
☐ The controller has contacted the office/person who is keeping the processing records for the organization.
☐ The controller has informed the above office/person early on of the intention to process personal data.
☐ The controller has followed their instructions on
Additional documentation pertaining to a single processing activity). The following items must be documented: ☐ Assessment of whether the processing activity results in a high risk to the rights and freedoms of natural persons. ☐ A Data Protection Impact Assessment where the above assessment yields an affirmative result. ☐ Potential consultation of the competent supervisory authority prior to processing. ☐ Requirements and acceptance tests for the purchase and/or development of the employed software, hardware, and infrastructure. ☐ Implemented technical and organizational measures. ☐ Regular testing, assessing and evaluating the effectiveness of technical and organizational measures. ☐ Requirements and acceptance tests for the selection of processors. ☐ Contracts stipulated with processors. ☐ Possible inspections and audits of the processor. ☐ Method to collect consent. ☐ Demonstrations of individual expressions of consent. ☐ Information provided to data subjects. ☐ Implementation of data subject rights. ☐ Actual handling of data subject rights. ☐ Possible breach notifications to the competent supervisory authority. ☐ Possible communication of data breaches to concerned data subject. Any other communication with the competent supervisory authority. |
References
1Article 25(1) of the GDPR calls this “the time of the determination of the means for processing”. ↑