ADPIA (Data Privacy Impact Analysis) and GDPR (General Data Protection Regulation or AVG) by design enforce the Controller – PNO – to analyze the flow of Personal Data and take technical and/or organizational measures for the processing to be within the GDPR boundaries. Personal Data flow from the Data Subject to the Controller and from there optional to (sub) Processor(s).
– For PNO the generic processing chain is
‘Data Subject – Client – PNO – Processors – Sub-processor … Hosting company‘.
– For the PNO WBSO application, the chain is
‘Data Subject – Client – PNO – Hosting company‘ or even
‘Data Subject – Client – PNO’ because PNO hosts the WBSO application themselves.
– For
Sub pages
– DPIA WBSO-tool (the Netherlands)
– DPIA ESF Tool (Current version 2022 08 01 – in 2023 new one)
– DPIA PNO Urentool (Postponed)
– DPIA FZ Tool (Germany; postponed)
– DPIA FZ Tool (France; postponed)
A GDPR light consists of an answer to the below issues:
- What (personal) data (owned by the Data Subject)
- Is mailing list/audio/video/participant lists at hand
(Check Technical and Organizational Measures) - Does a client’s procurement policy apply
- Organization consent for use given/archived
- Does Data Subject acknowledge Privacy Statement
- Does Data Subject acknowledge Cookie Policy
- Does Data Subject acknowledge Netiquette
- Where are data stored/processed (within EER)
- Is access to Personal Data limited within PNO
- Is the host ISO 27001 certified
- How are data transmitted
- What data is shared with who
- What period(s) applies (project length, tax laws etc)
- How are data anonymized
- How are data cleansed
- How/when are data cleaned up/destroyed/given back
- How can Data Subject exercise right
- Does the Privacy Statement cover all data at hand <= Frequently overlooked
- Does the Cookie Policy cover all data at hand
- Is there a need for a Processing Agreement
- What technical and/or organizational measures are needed