- The controllers have made sure that the individual’s interests do not override legitimate interests of the controller or third parties.
- The controllers use data subject’s data in ways they would reasonably expect.
- The controllers are not using data subject’s data in a very intrusive way or in a way which could cause them harm, unless they have a particularly good reason.
- The controllers do not process special categories of personal data, or, if they do, they have taken care that adequate technical and organizational safeguards are implemented in processing.
- The controllers have considered safeguards to reduce the impact where possible.
- The controllers have considered whether they need to conduct a DPIA.