Author Archives: GDPRsimple

Introduction There is a difference between making a decision on the adequacy of a country’s laws and assessing impediments in a country to enforcing contracts.  The European Commission is making a decision on whether the third country’s laws are essentially equivalent to the GDPR when making adequacy decisions under Article 45 of the General Data […]

GDPRsimple is excited to announce that it has added to its document generators the new EU Standard Contractual Clauses (SCCs) and has revised its Transfer Impact Assessment to reflect the EDPB’s Final Supplemental Measures.   The SCCs have logic built into them so all you do is answer 19 questions and the final version of […]

Each controller and processor that employs 250 persons or more must maintain a written, including an electronic, record of processing activities (RoPA).  If the controller or processor employs fewer than 250 persons, it must maintain such a RoPA if the processing: Carried out is likely to result in a risk to the rights and freedoms […]

What consultations should occur prior to high-risk processing? Different types of consultations must occur prior to high-risk processing: Where appropriate, the views of individuals or their representatives on the intended processing must be sought as long as the commercial or public interests and the security of processing operations are protected.  When carrying out a data […]

When a type of processing is using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, under the GDPR, the controller, prior to the processing, is required to conduct an assessment of the impact […]

As discussed in the previous blog on security assessments, the GDPR requires the controller and the processor to implement appropriate technical and organizational measures.  Examples of organizational measures are policies and procedures, and two of the recommended security policies are: (1) a Data Protection Policy, and (2) a Data Retention and Erasure Policy. The Data […]

The GDPR requires the controller and the processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.  In order to determine the “appropriate level of security,” an assessment must be done that takes into account: The state of the art, The costs of implementation, and The nature, […]

You should have a Personal Data Breach Policy that sets forth a plan on how to respond to a Personal Data Breach.  Having and implementing such a plan helps protect an organization from a Personal Data Breach and enable the timely response if a Personal Data Breach is suspected or occurs. Given these reasons for […]

If a personal data breach communication must be provided to an individual, it must describe in clear and plain language the nature of the personal data breach.   If a notification to a supervisory authority of a personal data breach must be given, the description of the nature of the personal data breach should include if […]

Under the GDPR, the term “personal data breach” means a breach of security that leads to the: Accidental or unlawful destruction or loss of, Accidental or unlawful alteration of, or Unauthorized disclosure of, or access to, personal data that have been transmitted, stored or processed in some other way.  After becoming aware of a personal […]