Other reportable data transfers : 50.000 records special categories of data
Contacts with DPA : informal, questions, investigations
Source: Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters http://eur-lex.europa.eu/Notice.do?val=485881:cs&lang=en&list=485860:cs,485859:cs,485881:cs,485858:cs,485857:cs,485856:cs,485855:cs,485880:cs,485879:cs,&pos=3&page=1&nbl=9&pgs=10&hwords=&checktexte=checkbox&visu=#texte (a) deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access control); (b) prevent the unauthorised reading, copying, modification or removal of data media (data media control); (c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control); (d) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control); (e) ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation (data access control); (f) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment (communication control); (g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control); (h) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (transport control); (i) ensure that installed systems may, in case of interruption, be restored (recovery); (j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored data cannot be corrupted by means of a malfunctioning of the system (integrity).
Organisation : ___ Date : ___ Data subjects # Customers Customers nat. persons Staff members Function Name Management Sponsor Tommy Vandepitte Data Protection Officer Outsourcing DP antenna DP claims / compliants office Legislation Changes EU Date Protection Directive EU e-commerce Directive Policy y/n on finality on legitimacy on privacy notices on DPA notifications on security/confidentiality on data subject’s requests
Organisation : ___ Date : ___ Outsourcing measures # new Selection process General buying terms Controls on providers Major outsourcing # new Outsourcing partners in “unsafe” countries # new Data leakage incidents # Customers Customers nat. persons Staff members Other Intragroup transfers # new Special categories of data within safe countries To unsafe countries Court cases #
Organisation : ___ Date : ___ Overview privacy notice y/n Website customers General terms Website HR Staff agreement Company # Customer dp operations HR dp operations Contacts # Data Protection Authority Activity Supervisor Requests of data subjects Complaints of data subjects Claims of data subjects
Organisation : ___ Date : ___ Summary Content Equipment access control Technical: perimeter access controls Organisational: Data media control Technical: write access rights, enable/disable external data carriers Organisational: Storage control Technical: limit write and/or read access, write and read logging Organisational: controls of exception reports of logging User control Technical: firewalls, virusscans, secury layer connections, … Organisational:controls for unusual access (based on IP, behaviour, …, cyber attack team,… Data access control Technical: granual access paths, four eyes principle installing access rights Organisational: clear rules and requirements for access rights Communication control Technical: possibility to trace data transfers Organisational: governance model for data sharing in the organisation and outside Input control Technical: write logging Organisational: control of odd data changes Transport control Technical: encryption Organisational: instructions to limit and securty data transport (e.g. rules o the use of data carriers, the use of the cloud, the use of public network,…) Recovery Technical: back-up systems, server reduncancy , … Organisational:data recovery plan, instruction to not store (critical) information on local drives Reliability & Integrity Technical: difference between write and read access, write logging, read only mode,… Organisational: clear instruction on retrieving data from a(n original) source