The GDPR stipulates that companies must take appropriate technical and organisational measures to ensure and demonstrate that a processing of personal data is carried out in accordance with the GDPR. This means, among other things, that companies must have certain documents in order, depending on the type of processing activities.
Based on the audit conducted by us (or by a third party), deJuristen can draw up (or modify) the necessary documents and develop (or refine) policies. This will allow your organization to demonstrate that you comply with the principle of accountability.
In mutual consultation we discuss which documents are minimum required for your company, what can be added to these documents, and what the process is to achieve a result as efficiently as possible.
This is an internal document about how the organization handles personal data. The following topics are elaborated in detail: a description of the categories of personal data, a description of the purposes of the processing, on what legal basis the organization is based, what rights the data subjects have (and how the data subjects can exercise these rights), whether there are recipients of the personal data.
A processing register is an overview of all data flows, processing processes and the security of personal data.
The register provides an overview of the following aspects:
- The processed personal data;
- the processing processes within your company;
- an overview of data security;
- the transfer of personal data;
- the retention periods used for the personal data.
This register will provide your organization with proof that you respect the rules on privacy.
When your organization has personal data processed by another party (or your organization processes personal data on behalf of another party), a processing agreement must be concluded. In a processor agreement, matters are elaborated, such as the subject, the duration of the processing, the nature and purpose, the type of personal data and the categories of data subjects, the rights and obligations of the parties (with regard to liability, the right to audit and reporting a data breach).
Transfer agreement between two independent controllers
By means of a transfer agreement, a data controller may share personal data with other data controllers for certain agreed purposes. This agreement imposes a number of restrictions on the use of the shared personal data, together with a set of obligations to ensure that both parties comply with their obligations under the GDPR.
Data retention policy
This policy includes the guidelines within your organization for the retention and destruction of data in accordance with legal requirements.
The purpose of this policy is to provide clear guidelines on how your organization and employees should retain data generated or received as part of their activities. It also sets the standards for appropriate protection of the stored data and for the destruction of the data upon expiration of the retention period.
This document ensures that your organization, in so far as your organization would rely on permission as a legal basis, permission is obtained correctly. The data subject will be informed about the purposes of the processing, the nature of the processing, the retention periods of the processing, and that the data subject can revoke his or her consent at any time.
When your organization processes personal data through the website, it is important that those involved are kept informed of what personal data your organization uses, for what and why. It is also important that data subjects are informed about their legal rights with regard to the processing of personal data and how they can exercise these rights.
These topics are set out in a Privacy Statement and posted on your organization’s website, so that your organization shows third parties how you handle personal data.
The main purpose of a cookie statement is to inform users about the types of cookies on your website and the personal data stored by the cookies.
In addition, a cookie statement ensures – in combination with a popup or banner – that the person concerned can give their explicit consent regarding the placement of certain cookies.
Procedure for reporting data breaches (data breach action plan)
A data breach can be detrimental to both your organization and those involved. That is why it is important to have a clear procedure for dealing with data breaches, to ensure that a data breach is quickly remedied, properly investigated, that the supervisory authority and the data subjects are informed and that appropriate measures are taken to prevent such a data breach from happening again.
A data breach procedure describes the steps your organization should take from the first internal reporting to the final implementation of preventive measures. In addition, the document is provided with a data breach register, in which all details of the data breach are recorded.
A procedure data breach ensures that if a data breach occurs, your organization does not have to think about what exactly needs to be done. After all, your organization should put the energy in resolving and reporting the data leak. Having an action plan for reporting data breaches is useful so that at the moment that a data breach occurs you have everything organically in order. An action plan data breach includes the following topics:
- The necessary persons to involve;
- information that needs to be collected;
- the assessment whether the data breach has serious consequences for the person involved;
- whether a report should be made to the Supervisory Authority and/or person involved and/or other bodies.
Policy right of those involved
The GDPR contains a number of rights applicable to data subjects, including the right to information, access, rectification, the so-called right to be forgotten, the right to limit and object to the processing of personal data, the right to data portability and further rights relating to automated decision-making and profiling.
Organizations must generally respond promptly to requests from data subjects to exercise these essential rights, usually within one month, and must do so free of charge (with limited exceptions). It is important that those involved are aware of and understand their rights.
A privacy statement or policy usually summarizes the rights, but it may be desirable to provide detailed information about the rights and how your organization can exercise them.