The data processor is responsible for complying with data protection laws and must be able to demonstrate this compliance.
What measures and records relating to our processing activities do we implement and maintain?
We implement and maintain the following measures and records relating to our processing activities:
Do we have appropriate data protection policies?
Do we carry out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests?
Principle (a) - lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Have we identified an appropriate lawful basis for the processing of personal data?
We have identified the following appropriate lawful ground(s) for the processing of personal data:
Have we identified a further Schedule 1 condition for the processing of personal data?
See ‘PART 3. SCHEDULE 1 CONDITION FOR PROCESSING’ for more details on the further conditions for processing.
Do we make appropriate privacy information available with respect to personal data and are we open and honest when we collect personal data, ensuring that we do not deceive or mislead people about its use?
Principle (b) - purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Have we clearly identified our purpose for processing personal data?
See ‘PART 2. DESCRIPTION OF DATA PROCESSED’ for more detail on the purpose for processing.
Have we included appropriate details of the purpose in our privacy information for individuals?
If we plan to use personal data for a new purpose, do we check that this is compatible with our original purpose or get specific consent for the new purpose?
We will not use personal data for new, different or incompatible purposes from those disclosed when the data was first obtained unless:
we have informed the data subject of the new purposes and they have consented where necessary; or
if we use personal data for new compatible purposes, then we will inform the data subject first.
Principle (c) - data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Are we satisfied that we only collect personal data we actually need for our specified purpose and that we have sufficient personal data to properly fulfil this purpose?
Do we periodically review this particular personal data, and delete anything we don’t need?
Principle (d) - accuracy
Personal data shall be accurate and, where necessary, kept up to date.
Do we have appropriate processes in place to check the accuracy of the personal data we collect and identify when we need to update the personal data?
Who is the source of the personal data?
Do we have a policy (or procedure) outlining how we keep records of mistakes and opinions?
Do we have a policy (or procedure) outlining how we deal with challenges to the accuracy of data and how we ensure compliance with individuals’ rights to rectification?
Principle (e) - storage limitation
Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Do we carefully consider how long we keep the personal data and can we justify this amount of time?
How often do we review our information and erase or anonymise this personal data when we no longer need it?
Do we need to keep any personal data for public interest archiving, scientific or historical research, or statistical purposes?
We need to keep personal data for:
More information can be requested from the at .
Principle (f) - integrity and confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the data (including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage) using appropriate technical or organisational measures.
Have we analysed the risks presented by our processing and used this to assess the appropriate level of security we need for this personal data?
We have analysed the risks presented by our processing and assessed, and put in place the security measure outlined below.
Do we have an information security policy regarding this personal data in place?
What organisational and/or technical measures or controls have we put in place because of the circumstances and the type of personal data we are processing?