General Data Protection Regulation (GDPR)

  1. Obligations of Controllers and Processors
    1. General Obligations
      1. Controller Responsibilities
        1. Implementing Appropriate Measures
          1. Technical Measures
            1. Organisational Measures
              1. Risk-Based Approach
              2. Demonstrating Compliance
                1. Documentation Requirements
                  1. Compliance Evidence
                    1. Regular Reviews
                  2. Processor Responsibilities
                    1. Processing Under Controller's Instructions
                      1. Written Instructions
                        1. Documented Instructions
                          1. Instruction Compliance
                          2. Confidentiality Obligations
                            1. Staff Confidentiality
                              1. Access Restrictions
                              2. Security Measures
                                1. Appropriate Security Level
                                  1. Risk Assessment
                                  2. Sub-Processing Requirements
                                    1. Prior Authorization
                                      1. Written Contracts
                                        1. Chain of Responsibility
                                        2. Assistance Obligations
                                          1. Data Subject Rights
                                            1. Security Incidents
                                              1. Impact Assessments
                                              2. Data Return or Deletion
                                                1. End of Processing
                                                  1. Controller Instructions
                                                2. Joint Controllers
                                                  1. Determining Joint Responsibility
                                                    1. Common Purposes
                                                      1. Common Means
                                                        1. Shared Decision-Making
                                                        2. Arrangements Between Joint Controllers
                                                          1. Transparent Arrangements
                                                            1. Respective Responsibilities
                                                              1. Data Subject Contact Point
                                                            2. Records of Processing Activities
                                                              1. Controller Records
                                                                1. Processing Purposes
                                                                  1. Data Categories
                                                                    1. Data Subject Categories
                                                                      1. Recipient Categories
                                                                        1. International Transfers
                                                                          1. Retention Periods
                                                                            1. Security Measures
                                                                            2. Processor Records
                                                                              1. Controller Details
                                                                                1. Processing Categories
                                                                                  1. International Transfers
                                                                                    1. Security Measures
                                                                                    2. Exemptions for Small Organisations
                                                                                      1. 250 Employee Threshold
                                                                                        1. Risk-Based Exceptions
                                                                                          1. Special Category Processing
                                                                                      2. Data Protection by Design and by Default
                                                                                        1. Privacy by Design Principles
                                                                                          1. Integrating Data Protection into Processing
                                                                                            1. System Design Phase
                                                                                              1. Process Development
                                                                                                1. Technology Selection
                                                                                                2. State of the Art Consideration
                                                                                                  1. Current Technology
                                                                                                    1. Implementation Costs
                                                                                                      1. Risk Assessment
                                                                                                      2. Minimising Data Collection
                                                                                                        1. Purpose Limitation
                                                                                                          1. Data Minimisation
                                                                                                            1. Storage Limitation
                                                                                                          2. Privacy by Default Principles
                                                                                                            1. Limiting Access and Disclosure
                                                                                                              1. Need-to-Know Basis
                                                                                                                1. Access Controls
                                                                                                                  1. Default Settings
                                                                                                                  2. Default Settings and User Choices
                                                                                                                    1. Privacy-Friendly Defaults
                                                                                                                      1. User Control Options
                                                                                                                        1. Granular Settings
                                                                                                                    2. Security of Processing
                                                                                                                      1. Technical Measures
                                                                                                                        1. Encryption
                                                                                                                          1. Data at Rest
                                                                                                                            1. Data in Transit
                                                                                                                              1. Key Management
                                                                                                                              2. Pseudonymisation
                                                                                                                                1. Implementation Methods
                                                                                                                                  1. Key Separation
                                                                                                                                    1. Re-identification Prevention
                                                                                                                                    2. Data Backup and Recovery
                                                                                                                                      1. Regular Backups
                                                                                                                                        1. Recovery Testing
                                                                                                                                          1. Secure Storage
                                                                                                                                          2. Access Controls
                                                                                                                                            1. Authentication Systems
                                                                                                                                              1. Authorization Mechanisms
                                                                                                                                                1. Privileged Access Management
                                                                                                                                              2. Organisational Measures
                                                                                                                                                1. Access Control Policies
                                                                                                                                                  1. Role-Based Access
                                                                                                                                                    1. Principle of Least Privilege
                                                                                                                                                      1. Regular Access Reviews
                                                                                                                                                      2. Staff Training
                                                                                                                                                        1. Data Protection Awareness
                                                                                                                                                          1. Security Procedures
                                                                                                                                                            1. Incident Response
                                                                                                                                                            2. Incident Response Planning
                                                                                                                                                              1. Response Procedures
                                                                                                                                                                1. Escalation Processes
                                                                                                                                                                  1. Communication Plans
                                                                                                                                                                  2. Vendor Management
                                                                                                                                                                    1. Due Diligence
                                                                                                                                                                      1. Contractual Safeguards
                                                                                                                                                                        1. Ongoing Monitoring
                                                                                                                                                                      2. Risk Assessment
                                                                                                                                                                        1. Identifying and Evaluating Risks
                                                                                                                                                                          1. Threat Identification
                                                                                                                                                                            1. Vulnerability Assessment
                                                                                                                                                                              1. Impact Analysis
                                                                                                                                                                              2. Implementing Mitigation Measures
                                                                                                                                                                                1. Risk Treatment Options
                                                                                                                                                                                  1. Control Implementation
                                                                                                                                                                                    1. Residual Risk Management
                                                                                                                                                                                    2. Regular Security Reviews
                                                                                                                                                                                      1. Periodic Assessments
                                                                                                                                                                                        1. Continuous Monitoring
                                                                                                                                                                                          1. Update Procedures
                                                                                                                                                                                      2. Personal Data Breach Notification
                                                                                                                                                                                        1. Notification to Supervisory Authority
                                                                                                                                                                                          1. Timing Requirements
                                                                                                                                                                                            1. 72-Hour Rule
                                                                                                                                                                                              1. Delay Justification
                                                                                                                                                                                                1. Phased Notifications
                                                                                                                                                                                                2. Content of Notification
                                                                                                                                                                                                  1. Nature of Breach
                                                                                                                                                                                                    1. Categories and Numbers Affected
                                                                                                                                                                                                      1. Contact Point Details
                                                                                                                                                                                                        1. Likely Consequences
                                                                                                                                                                                                          1. Measures Taken or Proposed
                                                                                                                                                                                                          2. Exceptions to Notification
                                                                                                                                                                                                            1. Unlikely Risk to Rights
                                                                                                                                                                                                              1. Risk Mitigation Measures
                                                                                                                                                                                                            2. Communication to Data Subject
                                                                                                                                                                                                              1. Criteria for Communication
                                                                                                                                                                                                                1. High Risk to Rights
                                                                                                                                                                                                                  1. Risk Assessment
                                                                                                                                                                                                                    1. Mitigation Measures
                                                                                                                                                                                                                    2. Content of Communication
                                                                                                                                                                                                                      1. Nature of Breach
                                                                                                                                                                                                                        1. Contact Point Details
                                                                                                                                                                                                                          1. Likely Consequences
                                                                                                                                                                                                                            1. Measures Taken or Proposed
                                                                                                                                                                                                                            2. Exceptions to Communication
                                                                                                                                                                                                                              1. Disproportionate Effort
                                                                                                                                                                                                                                1. Public Communication
                                                                                                                                                                                                                                  1. Technical Protection Measures
                                                                                                                                                                                                                                2. Documentation Requirements
                                                                                                                                                                                                                                  1. Breach Register
                                                                                                                                                                                                                                    1. Investigation Records
                                                                                                                                                                                                                                      1. Decision Rationale
                                                                                                                                                                                                                                    2. Data Protection Impact Assessment
                                                                                                                                                                                                                                      1. When DPIA is Required
                                                                                                                                                                                                                                        1. High-Risk Processing Activities
                                                                                                                                                                                                                                          1. Systematic Monitoring
                                                                                                                                                                                                                                            1. Large-Scale Special Categories
                                                                                                                                                                                                                                              1. Large-Scale Public Areas
                                                                                                                                                                                                                                                1. Automated Decision-Making
                                                                                                                                                                                                                                                  1. Vulnerable Data Subjects
                                                                                                                                                                                                                                                  2. Supervisory Authority Lists
                                                                                                                                                                                                                                                    1. Mandatory DPIA List
                                                                                                                                                                                                                                                      1. Optional DPIA List
                                                                                                                                                                                                                                                      2. Examples of High-Risk Scenarios
                                                                                                                                                                                                                                                      3. Content of DPIA
                                                                                                                                                                                                                                                        1. Description of Processing
                                                                                                                                                                                                                                                          1. Processing Operations
                                                                                                                                                                                                                                                            1. Purposes of Processing
                                                                                                                                                                                                                                                              1. Legitimate Interests
                                                                                                                                                                                                                                                              2. Assessment of Necessity and Proportionality
                                                                                                                                                                                                                                                                1. Purpose Achievement
                                                                                                                                                                                                                                                                  1. Less Intrusive Alternatives
                                                                                                                                                                                                                                                                    1. Balancing Test
                                                                                                                                                                                                                                                                    2. Risk Assessment and Mitigation
                                                                                                                                                                                                                                                                      1. Risk Identification
                                                                                                                                                                                                                                                                        1. Risk Analysis
                                                                                                                                                                                                                                                                          1. Mitigation Measures
                                                                                                                                                                                                                                                                          2. Stakeholder Consultation
                                                                                                                                                                                                                                                                            1. Data Subject Views
                                                                                                                                                                                                                                                                              1. Expert Opinions
                                                                                                                                                                                                                                                                            2. DPIA Process
                                                                                                                                                                                                                                                                              1. Timing of DPIA
                                                                                                                                                                                                                                                                                1. Review and Updates
                                                                                                                                                                                                                                                                                  1. Prior Consultation Requirements
                                                                                                                                                                                                                                                                                2. Data Protection Officer
                                                                                                                                                                                                                                                                                  1. Designation of DPO
                                                                                                                                                                                                                                                                                    1. Criteria for Mandatory Appointment
                                                                                                                                                                                                                                                                                      1. Public Authorities
                                                                                                                                                                                                                                                                                        1. Core Activities Monitoring
                                                                                                                                                                                                                                                                                          1. Core Activities Special Categories
                                                                                                                                                                                                                                                                                          2. Voluntary Appointment
                                                                                                                                                                                                                                                                                            1. Qualifications and Expertise
                                                                                                                                                                                                                                                                                              1. Data Protection Knowledge
                                                                                                                                                                                                                                                                                                1. Technical Knowledge
                                                                                                                                                                                                                                                                                                  1. Professional Experience
                                                                                                                                                                                                                                                                                                  2. Internal or External DPO
                                                                                                                                                                                                                                                                                                    1. Employment Arrangements
                                                                                                                                                                                                                                                                                                      1. Service Contracts
                                                                                                                                                                                                                                                                                                        1. Shared DPO Services
                                                                                                                                                                                                                                                                                                      2. Position and Tasks of DPO
                                                                                                                                                                                                                                                                                                        1. Independence and Resources
                                                                                                                                                                                                                                                                                                          1. Reporting Lines
                                                                                                                                                                                                                                                                                                            1. Conflict of Interest
                                                                                                                                                                                                                                                                                                              1. Resource Provision
                                                                                                                                                                                                                                                                                                                1. Support and Access
                                                                                                                                                                                                                                                                                                                2. Advisory and Monitoring Functions
                                                                                                                                                                                                                                                                                                                  1. Compliance Monitoring
                                                                                                                                                                                                                                                                                                                    1. Training and Awareness
                                                                                                                                                                                                                                                                                                                      1. DPIA Advice
                                                                                                                                                                                                                                                                                                                        1. Risk Assessment
                                                                                                                                                                                                                                                                                                                        2. Point of Contact for Supervisory Authorities
                                                                                                                                                                                                                                                                                                                          1. Cooperation Duties
                                                                                                                                                                                                                                                                                                                            1. Information Provision
                                                                                                                                                                                                                                                                                                                              1. Investigation Support
                                                                                                                                                                                                                                                                                                                              2. Data Subject Contact
                                                                                                                                                                                                                                                                                                                                1. Inquiry Handling
                                                                                                                                                                                                                                                                                                                                  1. Complaint Processing
                                                                                                                                                                                                                                                                                                                                    1. Rights Facilitation

                                                                                                                                                                                                                                                                                                                              Previous

                                                                                                                                                                                                                                                                                                                              4. Rights of the Data Subject

                                                                                                                                                                                                                                                                                                                              Go to top

                                                                                                                                                                                                                                                                                                                              Next

                                                                                                                                                                                                                                                                                                                              6. International Data Transfers