Personal data flows from the Person owning the data (role: Data Subject) via a (potential) Client / Consortium (role: Controller or Not Applicable) to PNO (role: Controller or Processor) and from there to third parties (role: (sub-) Processor). Across the chain, data must be handled ‘GDPR-proof’. Examples at Personal Data Flow. Check GDPR Texts PNO for text used by PNO on GDPR.
Data Subject >Consent> Client >GDPR Text> PNO >Processing Agreement> (sub) Processor
At PNO we protect the Flow of Personal Data use according to the GDPR. Instruments available are listed in the first column. PNO often assumes the role of Controller; the various roles are listed in column GDPR role. The documents that should be in archive or available are listed in column three and remarks thereafter. Check for practical solutions: technical and/or organizational measures.
Click on the links in the column ‘Role’ for a ‘GDPR road map’.
| Instruments | GDPR Role | On Archive | Remarks |
|---|---|---|---|
| Dutch Privacy Authority | Data Subject | Consent | Data breach | Incident report | Person or Client |
| DPIA | GDPR by design | PNO Controller | Privacy Statement | Disclaimer | Netiquette | Cookie Policy | General Terms & Conditions *) | |
| Shared responsibility | Advice – Management support | Idem | |
| ISO 27001 | Compliance service | Idem | See ffiqs |
| SaaS service | Idem | Under construction | |
| Consortium Agreement and Annexes | Beneficiary EU consortium | Idem | Possible co-Processor Linking Contract |
| Audit | ISO | GDPR by design | Processing Agreement | Central PA register | ||
| PNO Processor | Idem | Check on procurement policy for obligations | |
| Audit | ISO | GDPR by design | Processing Agreement | ||
| Sub-processor | |||
| Audit | ISO | GDPR by design | Processing Agreement | ||
| Sub-processor | |||
| Etc. | |||
| Instruments | Role | On Archive | Remarks |