ADPIA (Data Privacy Impact Analysis) and GDPR (General Data Protection Regulation or AVG) by design enforce the Controller – PNO – to analyze the flow of Personal Data and take technical and/or organizational measures for the processing to be within the GDPR boundaries. Personal Data flow from the Data Subject to the Controller and from there optional to (sub) Processor(s). For PNO the generic value chain is ‘Data Subject – Client – PNO – Processors – Subprocessor … Hosting company‘. For the PNO WBSO application, the chain is ‘Data Subject – Client – PNO – Hosting company‘ or even ‘Data Subject – Client – PNO’ when PNO hosts the WBSO application themselves.

Sub pages
DPIA WBSO-tool (the Netherlands)
– DPIA_WBSO-Portal
– DPIA_PNO-Urentool
– DPIA FZ Tool (Germany)

A GDPR light consist of an answer to the below issues:

  • What (personal) data (owned by the Data Subject)
  • Is mailing list/audio/video/participant lists at hand
    (Check Technical and Organizational Measures)
  • Does a client’s procurement policy apply
  • Organization consent for use given/archived
  • Does Data Subject acknowledge Privacy Statement
  • Does Data Subject acknowledge Cookie Policy
  • Does Data Subject acknowledge Netiquette
  • Where are data stored/processed (within EER)
  • Is access to Personal Data limited within PNO
  • Is the host ISO 27001 certified
  • How are data transmitted
  • What data is shared with who
  • What period(s) applies (project length, tax laws etc)
  • How are data anonymized
  • How are data cleansed
  • How/when are data cleaned up/destroyed/given back
  • How can Data Subject exercise right
  • Does the Privacy Statement cover all data at hand <= Frequently overlooked
  • Does the Cookie Policy cover all data at hand
  • Is there a need for a Processing Agreement
  • What technical and/or organizational measures are needed