What needs to be in the agreement between the controller and the processor?

Processing by a processor must be governed by an agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of individuals and obligations and rights of the controller.  That agreement must provide, in particular, that the processor: Processes the […]

What kind of agreements do you need if you are a processor or use a subprocessor?

Whenever you as a controller use a processor to process personal data for you, you need to make sure that the processor will provide appropriate technical and organizational security measures that protect the rights of individuals.  In order to do that, you must have a written agreement between you and the processor. If you are […]

Do you use a processor to process or are you a processor who processes personal data?

As was discussed in an earlier blog, there is a distinction between a controller and a processor.  A controller determines the purposes and means of processing of personal data.  The controller, taking into account the nature, scope, context, and purpose of the processing and the risks of varying likelihood and severity for the rights and […]

What does it mean to use contract as a legal ground for processing personal data?

Contract is the third most common legal basis for organizations to process personal data.  In order to determine whether a controller can use contract as the legal ground for processing personal data, ask whether the processing is: Necessary For the performance of a contract to which the individual is a party  In order to take […]

How is a legitimate interest assessment conducted?

In order for a controller to use legitimate interest as the legal ground for processing personal data, the controller will need to conduct a legitimate interest assessment (LIA).  A LIA consists of at least five parts: The purpose for the processing of the personal data  The necessity of the processing   If the processing is necessary, whether the impact on individuals overrides the organization’s legitimate interests […]

What does it mean for an organization to have a legitimate interest to process personal data?

Legitimate Interests is one of the more common legal grounds for a controller to process personal data.  Legitimate interest is different from consent; it is not processing that the individual has specifically agreed to; it is not processing linked to a specific purpose (like the one specified in a contract with the individual (contract as […]

How to get consent from individuals to process their data?

Consent is one of the most common legal grounds for a controller to process personal data.  Consent of the individual means any: Freely given (i.e. real choice and control).  An example is when individuals have to agree to get access to a website; then they do not have choice and control and consent is not […]

What is a “legal basis to process personal data”?

Under the GDPR, a business that determines how personal data are processed can only begin activities that involve the processing of personal data if at least one of the following legal grounds apply: The individual has given consent to the processing of his or her personal data for one or more specific purposes (an example […]

How do I keep all the individual rights straight? Are there any commonalities between all the individual rights?

There are some procedural and some substantive commonalities between the rights to access, rectification, erasure, restriction, portability and object.  Let’s discuss the similarities among all six rights first: The controller must ascertain the identity of the individual making the request.  If the controller does not have the information to determine the identity of the individual […]