Step1

* Value required to continue the assessment.

- I have read and understood the Privacy Policy *

- I have read and understood the Terms of use *

A - Company Name *

B - Email *

1 - Select your geographical scope of operations

As an entity not established in the E.U., but operating on the entire EU (meaning, processing the personal data of data subjects who are in the Union), the GDPR may apply to you where your processing activities relate to:
1. the offering of goods or services, irrespective of whether a payment of the data subject is required
2. the monitoring of the data subjects’ behaviour. [Art. 3 (2) GDPR]
Additionally, if the above conditions apply to your entity, please be cautious that each Member State may define stricter or at least more specific rules on certain areas of the General Data Protection Regulation. For example, a Member State may:

maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health, [Art. 9 (4) GDPR]; or,
lower the stipulated age of 16 years old in offering information society services directly to a child, with the lowest limitation at 13 years old [Art. 8 (1) GDPR].
provide for criminal penalties for infringements of the GDPR or of national data protection laws.

In short: make sure to stay updated with the national data protection laws of the countries where your company operates, especially looking into the points where the GDPR allows Member States to integrate the GDPR.
In addition to the above, if you are a United Kingdom business or organization and you receive personal data or operates in the EU, the Information Commissioner’s Office (“ICO”, the UK’s data protection authority) explains that the European Commission is evaluating the granting of an adequacy decision to the UK. The adequacy decision would allow UK businesses and organisations to receive personal data from the European Economic Area (EEA) with similar or the same data protection rules as those that have been implemented until 2020. However, if you are a UK business that receives personal data from the EEA, the ICO recommends taking extra steps to ensure that the data flow will not be affected even if an adequacy decision is not issued by the European Commission. On the other hand, if your organisation has an office or a branch in the EEA, your organization will need to comply with both the UK and the EU data protection regulations; and you may need to designate a representative in the EEA. An important action that you must take is to identify the data you hold in the EU before the end of 2020 , the so-called ‘legacy data’ in order to apply the rules of the GDPR to it. A useful tool to help you decide if you are processing any ‘legacy data’ is the End of Transition Interactive Tool by the ICO. However, keep in mind that if the EU Commission grants an adequacy decision to the UK the requirements applied to this legacy data can also change.
In any case, we recommend that you constantly monitor the ICO website for any updates for SMEs on data protection after the end of the Brexit transition periods, as well as the general news and announcements on data protection after the end of the transition period (for ease, you can also sign up to the ICO newsletter) in order to ensure that you follow the most up-to-date guidance and implement it within your organization in a timely manner.
Additional useful resources, tools and further reading: Resources, Tools & Solutions:

End of Transition Interactive Tool for small businesses by the Information Commissioner’s Office (ICO).
An interactive tool designed for small and medium-sized businesses and organisations based in the UK who need to maintain the free flow of personal data from Europe to the UK.

Further reading:
The ICO has already made available many different tools for compliance with the post-Brexit requirements that SMEs must be aware of, including:

A webinar aimed at SMEs discussing the key data protection requirements to consider at the end of the transition period.
Frequently asked questions (FAQs) about information rights and the end of the transition period.

2 - What is the total annual worldwide turnover of your entity?

Keep in mind that your exposure to GDPR sanctions varies depending on the circumstances of each case, according to Art. 83 GDPR ; however, it is important to note that for companies, the administrative fine may be up to 2% of your total worldwide annual turnover (for infringements on certain provisions) or even 4% of your total worldwide annual turnover (for infringements on more crucial provisions).
The decision on whether to impose an administrative fine and determining the amount will depend on the following conditions, including:

The intentional or negligent character of the infringement;
Any mitigating actions that were taken by the controller or processor in order to minimise the damage suffered by data subjects;
The degree of responsibility of the controller or processor in mitigating the damage suffered by data subjects (see Articles 25 and 35 GDPR );
Relevant previous infringements by the controller or processor;
The degree of cooperation with the supervisory authority so that the infringement can be remedied, and possibly mitigate harmful effects of the infringement;
The categories of personal data affected by the infringement;
The way with which the infringement became known to the supervisory authority, especially considering if and to what extent the controller or processor directly notified the infringement;
Compliance with corrective measures previously issued by the supervisory authority against the controller or processor on the same subject-matter under Art. 58 GDPR (for example, an order to comply with the data subject’s request to exercise his / her rights, or a warning that a processing operation is likely to infringe the GDPR, or an order to impose a temporary or definitive limitation such as a ban on processing);
Adherence to approved codes of conduct (pursuant to Article 40 GDPR) or approved certification mechanisms (Article 42 GDPR)
Any other aggravating or mitigating factor applicable to the circumstances of the case, for example, financial benefits gained or losses avoided, directly or indirectly from the infringement.

We recommend using the above conditions as a compass to comprehend the possibility to both prevent administrative sanctions against your organization, as well as to mitigate the extent of the administrative sanction through proactive behaviour and an overall cooperative approach towards the supervisory authority.

The intentional or negligent character of the infringement;
Any mitigating actions that were taken by the controller or processor in order to minimise the damage suffered by data subjects;
The degree of responsibility of the controller or processor in mitigating the damage suffered by data subjects (see Articles 25 and 35 GDPR );
Relevant previous infringements by the controller or processor;
The degree of cooperation with the supervisory authority so that the infringement can be remedied, and possibly mitigate harmful effects of the infringement;
The categories of personal data affected by the infringement;
The way with which the infringement became known to the supervisory authority, especially considering if and to what extent the controller or processor directly notified the infringement;
Compliance with corrective measures previously issued by the supervisory authority against the controller or processor on the same subject-matter under Art. 58 GDPR (for example, an order to comply with the data subject’s request to exercise his / her rights, or a warning that a processing operation is likely to infringe the GDPR, or an order to impose a temporary or definitive limitation such as a ban on processing);
Adherence to approved codes of conduct (pursuant to Article 40 GDPR) or approved certification mechanisms (Article 42 GDPR)
Any other aggravating or mitigating factor applicable to the circumstances of the case, for example, financial benefits gained or losses avoided, directly or indirectly from the infringement.

The intentional or negligent character of the infringement;
Any mitigating actions that were taken by the controller or processor in order to minimise the damage suffered by data subjects;
The degree of responsibility of the controller or processor in mitigating the damage suffered by data subjects (see Articles 25 and 35 GDPR );
Relevant previous infringements by the controller or processor;
The degree of cooperation with the supervisory authority so that the infringement can be remedied, and possibly mitigate harmful effects of the infringement;
The categories of personal data affected by the infringement;
The way with which the infringement became known to the supervisory authority, especially considering if and to what extent the controller or processor directly notified the infringement;
Compliance with corrective measures previously issued by the supervisory authority against the controller or processor on the same subject-matter under Art. 58 GDPR (for example, an order to comply with the data subject’s request to exercise his / her rights, or a warning that a processing operation is likely to infringe the GDPR, or an order to impose a temporary or definitive limitation such as a ban on processing);
Adherence to approved codes of conduct (pursuant to Article 40 GDPR) or approved certification mechanisms (Article 42 GDPR)
Any other aggravating or mitigating factor applicable to the circumstances of the case, for example, financial benefits gained or losses avoided, directly or indirectly from the infringement.

The intentional or negligent character of the infringement;
Any mitigating actions that were taken by the controller or processor in order to minimise the damage suffered by data subjects;
The degree of responsibility of the controller or processor in mitigating the damage suffered by data subjects (see Articles 25 and 35 GDPR );
Relevant previous infringements by the controller or processor;
The degree of cooperation with the supervisory authority so that the infringement can be remedied, and possibly mitigate harmful effects of the infringement;
The categories of personal data affected by the infringement;
The way with which the infringement became known to the supervisory authority, especially considering if and to what extent the controller or processor directly notified the infringement;
Compliance with corrective measures previously issued by the supervisory authority against the controller or processor on the same subject-matter under Art. 58 GDPR (for example, an order to comply with the data subject’s request to exercise his / her rights, or a warning that a processing operation is likely to infringe the GDPR, or an order to impose a temporary or definitive limitation such as a ban on processing);
Adherence to approved codes of conduct (pursuant to Article 40 GDPR) or approved certification mechanisms (Article 42 GDPR)
Any other aggravating or mitigating factor applicable to the circumstances of the case, for example, financial benefits gained or losses avoided, directly or indirectly from the infringement.

3 - Does your organisation process special categories of personal dataSpecial categories of personal data includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
[Article 9 GDPR - Processing of special categories of personal data] (i.e. sensitive data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation) or judicial data Judicial data include the processing of personal data relating to criminal convictions and offences or related security measures.
[Article 10 GDPR – Processing of personal data relating to criminal convictions and offences.] (such as personal data relating to criminal convictions and offences)?

Seeing as your company processes special categories of personal dataSpecial categories of personal data includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
[Article 9 GDPR - Processing of special categories of personal data] , there are additional obligations expected according to the GDPR. To be more precise, the GDPR stipulates that a data controller is prohibited to process special categories of personal dataSpecial categories of personal data includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
[Article 9 GDPR - Processing of special categories of personal data] (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, or any data concerning the health or a person’s sex life or sexual orientation) unless the data controller follows on one of the legal basis enlisted in article 9(2) of the GDPR.

More generally, if your company does process such special categories of personal dataSpecial categories of personal data includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
[Article 9 GDPR - Processing of special categories of personal data] , the main way to do so is if you have received explicit consent to the processing of those personal data. Explicit consent will not be needed if one of the below applies to you:

the processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and social security and social protection law (i.e., only to be used in employment relationships, or when related to social security);
the processing is necessary to protect the vital interests of the data subject (i.e., only to be used in life or death situations);
the processing is carried out by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim- in the course of its legitimate activities, and, on condition that the processing related solely to members, former members, or to persons regularly contacting the foundation (i.e., a not-for-profit body processes the health data of its members for the purpose of providing them health insurance);
the processing relates to personal data which are manifestly made public by the data subject (i.e., entered their data on a public database provided by a governmental or enforcement authority);
the processing is necessary for the establishment, exercise or defence of legal claims (i.e., when a company must collect such data in order to defend themselves in court proceedings);
the processing is necessary for the purposes of preventive or occupational medicine (i.e., a company that provides medical diagnosis, a company that manages healthcare or social care systems and services, or generally medicine-related companies that may collaborate with health professionals in order to cure a disease or a disorder);
the processing is necessary for reasons of public interest in the area of public health (i.e., a company involved in the protection against serious crossborder threats to health);
the processing is necessary for archiving purposes in the public interest, scientific or historical research purpose or statistical purposes. (i.e., a research company conducts in-depth research for statistical purposes).

In case none of the above applies to the processing activities your company conducts, “explicit” consent is required. “Explicit” refers to the way consent is expressed by the data subject, meaning that in the case where you collect special categories of personal dataSpecial categories of personal data includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
[Article 9 GDPR - Processing of special categories of personal data] , the data subject must give an express statement of consent such as in a written statement (where possible), or via an electronic form, through the sending of an email, or by uploading a scanned document which is signed by the data subject [Article 29 Working Party Guidelines on consent under Regulation 2016/679].

Theoretically, oral statements may also be a way to obtain valid explicit consent, however, at a later stage, it may be difficult to prove that all conditions for a valid consent were met when the statement was recorded [Article 29 Working Party Guidelines on consent under Regulation 2016/679].

If your organisation uses online software or obtains the personal data online, then two-stage verification of consent may also be a way to make sure explicit consent is valid[Article 29 Working Party Guidelines on consent under Regulation 2016/679].

An example of this method could be for the data subject to receive an e-mail notifying him/her of the controller’s intent to process a record containing medical data, for example, and asking for his/her explicit consent. Then, if the data subject agrees to the use of his/her data, he/she will be asked to send an e-mail reply containing the statement “I agree”. Once the reply is sent, the data subject will receive a verification link that must be clicked; either in a follow-up e-mail or via SMS with a verification code,to confirm his/her earlier agreement [Article 29 Working Party Guidelines on consent under Regulation 2016/679].

You are free to choose other methods to obtain explicit consent, however, it is recommended the ones mentioned above were those that have been suggested by the European Data Protection Board (also known as Working Party 29), in their Guidelines on Consent.
Finally, the Article 29 Working Party has highlighted that one of the criteria for deciding whether a Data Protection Impact Assessment should be carried out is to consider whether ‘sensitive data’ is processed. According to the opinion, sensitive data or data of highly personal nature includes special categories of personal dataSpecial categories of personal data includes processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation
[Article 9 GDPR - Processing of special categories of personal data] as defined in Article 9 GDPR, for example information about political opinions, and personal data relating to criminal convictions or offences as defined in Article 10 GDPR. These categories of personal data may mandatorily require a Data Protection Impact Assessment to be carried out in order to assess the risk being posed to the data subjects and propose mitigating security measures. Therefore, please carefully consider whether it is mandatory to carry out a DPIA according to this criteria.
Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

A modular tool to conduct Data Protection Impact Assessment, through a step-by-step process, which can also be customised based on the specific needs of an SME or your business sector has been created by the French Data Protection Authority. This software is available in both portal and web versions, and can be found for free here.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data security”) by the Irish Data Protection Commission.

Further reading:

The methodology of the French Data Protection Authority (CNIL) is a collection of three guides:

Privacy Impact Assessment (PIA) Methodology, which sets out the approach for carrying out a Data Protection Impact Assessment.
Privacy Impact Assessment (PIA) Templates, including information that can be used to carry out the analysis of the Data Protection Impact Assessment.
Privacy Impact Assessment (PIA) Knowledge Bases), a catalogue of controls aimed at complying with the legal requirements and mitigating the risks.

3B - Does your entity process genetic data, biometric data, or data concerning health?

Keep in mind that the Member State where you operate may maintain or introduce further conditions, or limitations, with regard to the processing of genetic data, biometric data, or data concerning health. Furthermore, remember to always specify in your privacy policy that you process this type of data, indicating one of the legal grounds provided for by art. 9(2) GDPR.
Lastly, the Article 29 Working Party has highlighted that one of the criteria for deciding whether a Data Protection Impact Assessment should be carried out is to consider whether ‘sensitive data’ is processed.
According to the opinion, sensitive data or data of highly personal nature includes special categories of personal data as defined in Article 9 GDPR. For example, if a general hospital keeps patients’ medical records, this would require a Data Protection Impact Assessment to be carried out in order to assess the risk being posed to the data subjects and propose mitigating security measures. Therefore, please carefully consider whether it is mandatory to carry out a DPIA.
Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

A modular tool to conduct Data Protection Impact Assessment, through a step-by-step process, which can also be customised based on the specific needs of an SME or your business sector has been created by the French Data Protection Authority. This software is available in both portal and web versions, and can be found for free here.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data security”) by the Irish Data Protection Commission.

Further reading:

Guidelines on Data Protection Impact Assessment (DPIA) and determining whoever processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.

The methodology of the French Data Protection Authority (CNIL) is a collection of three guides:

Privacy Impact Assessment (PIA) Methodology, which sets out the approach for carrying out a Data Protection Impact Assessment.
Privacy Impact Assessment (PIA) Templates, including information that can be used to carry out the analysis of the Data Protection Impact Assessment.
Privacy Impact Assessment (PIA) Knowledge Bases), a catalogue of controls aimed at complying with the legal requirements and mitigating the risks.

A modular tool to conduct Data Protection Impact Assessment, through a step-by-step process, which can also be customised based on the specific needs of an SME or your business sector has been created by the French Data Protection Authority. This software is available in both portal and web versions, and can be found for free here.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data security”) by the Irish Data Protection Commission.

Further reading:

Guidelines on Data Protection Impact Assessment (DPIA) and determining whoever processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.

The methodology of the French Data Protection Authority (CNIL) is a collection of three guides:

Privacy Impact Assessment (PIA) Methodology, which sets out the approach for carrying out a Data Protection Impact Assessment.
Privacy Impact Assessment (PIA) Templates, including information that can be used to carry out the analysis of the Data Protection Impact Assessment.
Privacy Impact Assessment (PIA) Knowledge Bases), a catalogue of controls aimed at complying with the legal requirements and mitigating the risks.

4 - Does your entity provide informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
to individuals (see Articles 12, 13 and 14 GDPR) prior to processing their personal data (i.e. informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
notice, privacy policy, etc.)?

As an entity that processes personal data of data subjects, you have the obligation to inform your data subjects, at the time when the personal data are obtained, of specific aspects of the processing activity. The most valuable informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
that must be communicated to the data subject is:

the identity and contact details of your entity (as a data controller)
the contact details of your data protection officer (in case a DPO has been designated)
the specific purpose of the processing
the recipients or categories of recipients of their personal data
the period that their personal data will be stored
whether the personal data will be transferred outside of the European Union
the data subject rights (right to access to and rectification or erasure of their personal data, or the right of restriction of processing or right to object to the processing)
The source from which the personal data originates (in case the data was not obtained from the data subjects [Art. 14 (2(f)) GDPR.]).

Additionally, it is not enough to simply provide some informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
about the processing of personal data, therefore we recommend that the informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
that you do choose to provide is also: 1) concise, transparent, intelligible and easily accessible; 2) written in clear and plain language, particularly if addressed to a child; and 3) free of charge.

Lastly, if you process the personal data based on the consent of the individual, then this consent should be freely given, specific, informed (as per the informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
described above) and an unambiguous indication of the data subject’s intention. The consent should be done by a clear affirmative action or by a statement that is specific to the processing of personal data relating to him or her.

If this informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
is not provided, your company is open to a great risk that may result to a data subject sending a complaint to the supervisory authority, which will likely conduct an investigation into the processes of your company. Any infringements on the data subject’s right to be informed about the processing of their personal data can be subject to administrative fines up to 20 000 000 euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

If you would like to receive further recommendations, or simply check your informationArticles 12, 13 and 14 GDPR set out the information that controllers should supply and when individuals should be informed. The information to supply is determined by whether or not the personal data were obtained directly from individuals or not.
The information supplied about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
notice’s compliance to the GDPR click here to be transferred to the additional short survey we have compiled.
Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

Information Notice Tool created by Cyberwatching.eu.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “transparency requirements”) by the Irish Data Protection Commission.
Writing a GDPR-compliant privacy notice (template included) by the EU Project gdpr.eu.

Further reading:

Guidelines on Transparency under Regulation 2016/679, by Article 29 Working Party, as last Revised and Adopted on 11 April 2018.

5 - Where neededThe prior collection of consent is necessary when no other lawful bases, pursuant to Article 6 GDPR, is applicable. For instance, the prior collection of consent is typically needed in case of processing of personal data for marketing or profiling puroposes.
[Art. 6 GDPR] (see Article 6 GDPR), does your organisation collect individuals consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] prior to processing their personal data?

According to the GDPR, where no other lawful bases may apply to the processing of personal data, prior consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is necessary in order for the processing to take place legally.
Relying on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] as a legal basis does not automatically mean that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is valid. In order to ensure that you comply with the criteria stipulated by the GDPR on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] you must ensure that a) consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] has been collected correctly, and b) that as a controller you are able to demonstrate that the data subject has consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]ed to the processing, which may mean that you should have systems in place to collect and store the preferences for consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] of the data subject. This evidence may be as simple as a screenshot of the date and time which consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was received or having a database that is regularly updated with all the latest customer preferences.
In addition, please check the manner with which the request for consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] has been presented, collected, and granted in order to ensure valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]. Specifically, consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] must be: 1. Freely given: implying that a real choice and control of the data subjects exists, therefore as a controller you must ensure that this freedom is communicated and able to be exercised by the data subject. For controllers who are the employers of data subjects pay attention into the inevitable imbalance that exists, therefore not truly allowing the data subject to freely give his consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]; thus, before relying on it, assess whether another legal basis can be utilised instead (i.e. the performance of a contract or legal obligation). Attention should also be paid for the cases where the processing operations may involve more than one purpose, in which case the data subjects should be free to choose which purpose they accept rather than having to consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] to a bundle or processing purposes [Guidelines on Consent, p.10]. Lastly, it shall be as easy to give consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] as it should be to withdraw it [Art. 7 (3) of GDPR].
2. Specific: reiterating that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] must be given in relation to one or more specific purposes. Having that said, consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] may still cover different processing activities (or operations), as long as these operations serve the same purpose. An example of this would include having a separate opt-in for each purpose, to allow users to give specific consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] for each unique purpose. [Guidelines on Consent, p.11.]
3. Informed: the requirement of transparency is fundamental, especially when relating to consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR], because obtaining the relevant information is necessary in order to enable your data subjects to make informed decisions, understand what they are agreeing to, and what rights they may exercise. An example of informed consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is the inclusion of a summary of the privacy policy or at least a mention of the relevant consequences that will apply once the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is given and a link to the full privacy policy. In addition, you must inform the data subject of the right to withdraw consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] prior to giving consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] [Guidelines on Consent, p.11].
4. Unambiguous: consisting of a statement from the data subject or a clear affirmative act, through an obvious active motion or declaration. As a data controller, you should be able to show that the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was indeed granted in a clear way, either via a written or a recorded oral statement – without the use of pre-ticked opt-in boxes, which is invalid under the GDPR. Please keep in mind that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] cannot be obtained by the same motion as agreeing to a contract or accepting general terms and conditions of a service

In addition, it is crucial that two additional conditions are met in order to successfully obtain valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]: a) demonstrating that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] has been obtained, b) ensuring the withdrawal of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is as easy as its granting. In order to demonstrate consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR], you should be cautious so as to not obtain more personal data than what is necessary. You should aim to find a way to link the processing activity with the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] given by the data subject, for example you may:

Keep a record of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] statements received to show how consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was obtained, when it was obtained, the information provided to the data subject at the time of giving consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR];
Sustain a database that is regularly updated with all the latest customer preferences;
Take a screenshot of the date and time which consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was received;
In an online environment, retain information on the session in which consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was express, with documentation of the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] workflow at the time of session and a copy of the information that was presented to the data subject at that time.

As pointed out by the European Data Protection Board, “it would not be sufficient to merely refer to a correct configuration of the respective website. [Guidelines on Consent, p.23.] ”. Furthermore, you should assess for how long consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] can last in the specific circumstances of the processing activity (the context, the scope of the original consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] and the reasonable expectations of the data subject). If the processing activities change or evolve considerably the original consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] will no longer be valid and new consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] will need to be obtained. The EDPB recommends refreshing consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] at appropriate intervals, depending on the four points mentioned above.
Furthermore, ensuring that withdrawal of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is a prominent aspect of compliance with guidelines on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] [Guidelines on Consent, p.23.] . For example, if consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was obtained through electronic measures (e.g., one mouse-click, swipe, or keystroke) the data subject should in practice be able to withdraw his / her consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] in an equally easy manner. If consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was obtained through the use of a service-specific user interface (for example, a website, an app, a browser extension, a log-on account, the interface of an IoT device, or by e-mail, the EDPB expects that the data subject must be able to withdraw consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] through the same electronic interface. Switching interfaces between the two phases of collection and withdrawal is considered disproportionate effort and would not be compliant with the EDPB’s guidelines on valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]. Please keep in mind that, if the withdrawal right does not meet the above GDPR requirements, the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] mechanism does not comply with the GDPR. Finally, if the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is withdrawn the data controller must delete the data that was processed on the basis of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] if no other purpose justifies the continued retention. However, if you chose to switch from consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] to another lawful basis, you cannot silently migrate from consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] to another lawful basis; you must notify the data subject in accordance with Articles 13 and 14.
Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

Lawful basis interactive tool produced by the Information Commissioner’s Office (ICO). It is a useful interactive tool to receive tailored guidance on which lawful basis is likely to be the most appropriate for your processing activities. This tool will result to a rating for each lawful basis based on the answers to key questions, accompanied by suggestions on the actions you should take.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “personal data”) by the Irish Data Protection Commission.
Clym. It is a platform provided by an SME in the United Kingdom and it aims at website compliance. It covers 6 main areas of compliance, namely: Data consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] management, Cookie consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] management, Localisation and Consent receipts. This platform can help you keep track of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] receipts, as well as manage cookie consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]s in an appropriate and transparent manner. The Clym platform can be easily integrated into all major platforms for web design and development.

Further reading:

Guidelines 05/2020 on Consent under Regulation 2016/679 Version 1.1, Adopted May 2020.
Article 29 Working Party Guidelines on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] under Regulation 2016/679, Adopted on November 2017 as last Revised and Adopted on 10 April 2018

According to the GDPR, where no other lawful bases may apply to the processing of personal data, prior consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is necessary in order for the processing to take place legally.
Under the GDPR consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] has a two-fold criteria, the act of a correct collection of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR], but also the controller’s ability to demonstrate that the data subject has consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]ed to the processing; therefore as an SME you must ensure to have systems in place that collect and store the preferences for consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] of the data subject. This evidence may be as simple as a screenshot of the date and time which consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was received or having a database that is regularly updated with all the latest customer preferences.
Additionally, the manner with which the request for consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] shall be presented, collected, and granted is important in order to ensure a valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]. Specifically, consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] must be:
1. Freely given: implying that a real choice and control of the data subjects exists, therefore as a controller you must ensure that this freedom is communicated and able to be exercised by the data subject. For controllers who are the employers of data subjects pay attention into the inevitable imbalance that exists, therefore not truly allowing the data subject to freely give his consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]; thus, before relying on it, assess whether another legal basis can be utilised instead (i.e. the performance of a contract or legal obligation). Attention should also be paid for the cases where the processing operations may involve more than one purpose, in which case the data subjects should be free to choose which purpose they accept rather than having to consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] to a bundle or processing purposes [Guidelines on Consent, p.10]. Lastly, it shall be as easy to give consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] as it should be to withdraw it [Art. 7 (3) of GDPR].
2. Specific: reiterating that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] must be given in relation to one or more specific purposes. Having that said, consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] may still cover different processing activities (or operations), as long as these operations serve the same purpose. An example of this would include having a separate opt-in for each purpose (for example, marketing and profiling), to allow users to give specific consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] for each unique purpose. [Guidelines on Consent, p.11.]
3. Informed: the requirement of transparency is fundamental, especially when relating to consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR], because obtaining the relevant information is necessary in order to enable your data subjects to make informed decisions, understand what they are agreeing to, and what rights they may exercise. An example of informed consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is the inclusion of a summary of the privacy policy or at least a mention of the relevant consequences that will apply once the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is given and a link to the full privacy policy. In addition, you must inform the data subject of the right to withdraw consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] prior to giving consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] [Guidelines on Consent, p.11].
4. Unambiguous: consisting of a statement from the data subject or a clear affirmative act, through an obvious active motion or declaration. As a data controller, you should be able to show that the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was indeed granted in a clear way, either via a written or a recorded oral statement – without the use of pre-ticked opt-in boxes, which is invalid under the GDPR. Please keep in mind that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] cannot be obtained by the same motion as agreeing to a contract or accepting general terms and conditions of a service
An example of unambiguous consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] can be a privacy policy, accompanied by the request for consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] through an optional box at the end – which the data subject can actively tick on "I consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]" [Guidelines on Consent, p.15.].
In addition, it is crucial that two additional conditions are met in order to successfully obtain valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]: a) demonstrating that consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] has been obtained, b) ensuring the withdrawal of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is as easy as its granting. In order to demonstrate consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR], you should be cautious so as to not obtain more personal data than what is necessary. You should aim to find a way to link the processing activity with the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] given by the data subject, for example you may:

Keep a record of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] statements received to show how consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was obtained, when it was obtained, the information provided to the data subject at the time of giving consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR];
Sustain a database that is regularly updated with all the latest customer preferences;
Take a screenshot of the date and time which consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was received;
In an online environment, retain information on the session in which consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was express, with documentation of the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] workflow at the time of session and a copy of the information that was presented to the data subject at that time.

As pointed out by the European Data Protection Board, “it would not be sufficient to merely refer to a correct configuration of the respective website. [Guidelines on Consent, p.23.] ”. Furthermore, you should assess for how long consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] can last in the specific circumstances of the processing activity (the context, the scope of the original consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] and the reasonable expectations of the data subject). If the processing activities change or evolve considerably the original consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] will no longer be valid and new consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] will need to be obtained. The EDPB recommends refreshing consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] at appropriate intervals, depending on the four points mentioned above.
Furthermore, ensuring that withdrawal of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is a prominent aspect of compliance with guidelines on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] [Guidelines on Consent, p.23.] . For example, if consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was obtained through electronic measures (e.g., one mouse-click, swipe, or keystroke) the data subject should in practice be able to withdraw his / her consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] in an equally easy manner. If consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] was obtained through the use of a service-specific user interface (for example, a website, an app, a browser extension, a log-on account, the interface of an IoT device, or by e-mail, the EDPB expects that the data subject must be able to withdraw consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] through the same electronic interface. Switching interfaces between the two phases of collection and withdrawal is considered disproportionate effort and would not be compliant with the EDPB’s guidelines on valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]. Please keep in mind that, if the withdrawal right does not meet the above GDPR requirements, the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] mechanism does not comply with the GDPR. Finally, if the consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is withdrawn the data controller must delete the data that was processed on the basis of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] if no other purpose justifies the continued retention. However, if you chose to switch from consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] to another lawful basis, you cannot silently migrate from consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] to another lawful basis; you must notify the data subject in accordance with Articles 13 and 14.
As a last note and as can be concluded from the above, consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is not an easy legal basis to implement and it brings upon many further requirements that can burden an SME. Consent may not always be the right legal basis, therefore, before counting on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] and creating systems to ensure that it is valid, you should first check:

Is the processing necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract? (Art. 6 (1) (b) GDPR)
Is the processing necessary for your compliance with a legal obligation to which you are subject to? (Art. 6 (1) (c) GDPR)
Is the processing necessary for the protection of vital interests of the data subject or another natural person? (Art. 6 (1) (d) GDPR)
Is the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you? (Art. 6 (1) (e) GDPR)
Is the processing necessary for the purposes of the legitimate interest pursued by you or a third party? (Art. 6 (1) (f) GDPR)

If any of the above legal basis applies, then the legal basis of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] is not necessary and should be avoided.
Not implementing a valid consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] into the processing activities is a serious risk, because it means that your company is processing personal data without a lawful basis. Under the GDPR, violations on such basic principles of processing may result to administrative fines up to 20 000 000 EUR, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher [Art. 83 (5(a)) GDPR.]. Additionally, some European Member States may also provide for additional sanctions (such as criminal sanctions) [Artt. 83 (9) and 84 GDPR.].
Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

Lawful basis interactive tool produced by the Information Commissioner’s Office (ICO). It is a useful interactive tool to receive tailored guidance on which lawful basis is likely to be the most appropriate for your processing activities. This tool will result to a rating for each lawful basis based on the answers to key questions, accompanied by suggestions on the actions you should take.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “personal data”) by the Irish Data Protection Commission.
Clym. It is a platform provided by an SME in the United Kingdom and it aims at website compliance. It covers 6 main areas of compliance, namely: Data consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] management, Cookie consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] management, Localisation and Consent receipts. This platform can help you keep track of consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] receipts, as well as manage cookie consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]s in an appropriate and transparent manner. The Clym platform can be easily integrated into all major platforms for web design and development.
The DEFeND project supports healthcare organizations towards GDPR compliance and it provides methods and automation techniques for the specification, management and enforcement of personal data consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR]; a modular solution that covers different aspects of GDPR.

Further reading:

Guidelines 05/2020 on Consent under Regulation 2016/679 Version 1.1, Adopted May 2020.
Article 29 Working Party Guidelines on consent “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. For more information on the conditions for consent see Article 7 GDPR.
[Art. 4 (11) GDPR] under Regulation 2016/679, Adopted on November 2017 as last Revised and Adopted on 10 April 2018

6 - Does your organisation allow for data subjects to exercise their data subject rights?

the dates on which a request was received and resolved,
the identity of the requester,
the scope of the request, and
storing evidence of the actual communications exchanged with requesters.

The principle of transparency places a triple obligation upon the controller concerning the rights of data subjects, 1) provide information to data subjects on their rights (as required under Articles 13 (2(b) and 14 (2(c)) GDPR, 2) comply with the principle of transparency when communicating with data subjects in relation to their rights under Articles 15 to 22 and Article 34 GDPR, 3) facilitate the exercise of data subjects’ rights. Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

A template for the Right to Erasure Request Form is provided by the gdpr.eu project, a project funded by the European Union Horizon 2020 can be relied on to create a workflow and have a template for handling the right to erasure, which is one of the more complication rights to be exercised per the GDPR.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data subject rights”) by the Irish Data Protection Commission.

Further reading:

Further guidance on the right of accesshas been provided by the Information Commissioner’s Office (ICO).
Step-by-step Guide on how to deal with a request for information by the ICO.
Frequently Asked Questions on the Data Subject Access Requests by the Irish Data Protection Commission.

The GDPR obliges controllers to provide data subjects with relevant information as to the existence of their rights, and how they can be exercised (Arts. 13(2)(b) and 14(2)(c) GDPR. This means that your organisation must also develop a consistent and effective approach to receiving, tracking and addressing any requests received from data subjects to exercise any of the rights described below.
The approach which a controller chooses to implement regarding the response to data subject rights must consider several factors in order to correctly manage those responses under the GDPR, regardless of the type of request which is made. Once you receive a request, you must first take steps to reasonably identify and authenticate the requester, depending on the scope of the request and the level of risk involved. Having confirmed the identity of the requester, the controller should also confirm whether the organisation handles any personal data related to the requester. If not, the controller will be unable to address the request made, and should notify the requester of this. On the other hand, if it is confirmed that personal data related to the requester is processed by the controller, then it will be important to identify the type of request made, in order to properly respond. As a rule, all requests should be handled free of charge, unless the request is considered unfounded or excessive (for example, if the requester has made a similar or the same one in the past, or where the scope of a request is excessively broad), may the controller refuse to act on that request or charge a reasonable amount in order to respond (Art. 12(5) GDPR). Please ensure that you respond and address the data subject request in a timely manner, at most within one month of receipt of the request.
The principle of transparency places a triple obligation upon the controller concerning the rights of data subjects, 1) provide information to data subjects on their rights (as required under Articles 13 (2(b) and 14 (2(c)) GDPR, 2) comply with the principle of transparency when communicating with data subjects in relation to their rights under Articles 15 to 22 and Article 34 GDPR, 3) facilitate the exercise of data subjects’ rights.
As mentioned above, the controller must keep track of all requests received and responses given to those requests, so that it can demonstrate its compliance with the GDPR rules, therefore it is good practice to keep a register of data subject requests, listing:

the dates on which a request was received and resolved,
the identity of the requester,
the scope of the request, and
storing evidence of the actual communications exchanged with requesters.

Below are the rights that you must inform a data subject of, and ensure that they are able to exercise them easily:

The right of access to a) obtain confirmation from the controller as to whether or not personal data concerning him/her are being processed; b) those personal data and receive a copy of those personal data, c) receive information about the processing of personal data undertaken.
The right to rectification allows the data subject to indicate the information which he/she wishes to correct or complete,
The right to erasure, or ‘right to be forgotten’ (Art. 17 GDPR) needs to have a specific scope in order for the request for erasure to be considered valid. Data subjects are allowed to demand that a controller erase personal data relating to them if:

those data are no longer necessary in relation to the purposes for which they were collected or are processed by the controller (Art. 17(1)(a) GDPR);
the personal data were processed on the basis of the data subject’s consent, and the data subject withdrew the consent given;
the data subject files a valid objection to the processing of their personal data by the controller (more on the right to objection below;
the personal data have been processed unlawfully;
an applicable legal obligation upon the controller, rooted in EU or Member State law, requires the controller to erase those personal data; or
the personal data were collected in the context of the provision of information society services to children, on the basis of consent provided by those children or adults with parental responsibilities over those children (Art. 8 GDPR).

gdpr.eu project

Right to Erasure Request Form

The right to restriction of processing allows data subjects to request that controllers place their personal data under restricted conditions of use. However, it is important to note that as set out in Art. 18 (2) GDPR, the controller can continue to store personal data covered by a request for restriction of processing. In addition, in order for such a request to be valid the data subject must either have a) contested the accuracy of the personal data processed (Art. 18 (1(a)) GDPR), the processing must be unlawful (Art. 18(1(b)) GDPR) , the controller no longer requires the personal data in connection to the purposes for their collection and processing (Art. 18(1(c)) GDPR), or the data subject has objected to the processing of personal data and the controller requires time to assess whether to grant the objection or not (Art. 18(1(d)) GDPR.
The right to data portability (Art. 20 GDPR) gives individuals the right to receive personal data they have provided to the controller in a structured, commonly used and machine-readable format. In addition, it includes the right to request that a controller transmit those data directly to another controller.The data subject should not have any hindrance in exercising this right, whether it be legal, technical, or financial obstacles which may refrain or slow down access, transmission, reuse by the data subject (for example, requesting a fee, lack of interoperability format or access to a data format / API, excessive delays in retrieving the full dataset, etc.). Data controllers could evaluate two different ways of providing portable data to the data subjects or to other data controllers: a) a direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset); b) an automated tool that allows extraction of relevant data.
The right to object to processing (Art. 21 GDPR) allows data subjects to seek to prevent a controller from continuing to process their personal data for a given purpose, such as the right to object to the processing of their personal data for direct marketing purposes (Art. 21(2) GDPR)), including profiling activities.
The rights concerning automated individual decision-making (Art. 22 GDPR) which include a set of rights for data subjects in relation to processing activities that classify as ‘automated individual decision-making’. If you carry out processing activities that rely on automated individual decision-making, please respond to question 7 and carefully study the recommendations provided.

Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

A template for the Right to Erasure Request Form is provided by the gdpr.eu project, a project funded by the European Union Horizon 2020 can be relied on to create a workflow and have a template for handling the right to erasure, which is one of the more complication rights to be exercised per the GDPR.
Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data subject rights”) by the Irish Data Protection Commission.

Further reading:

Further guidance on the right of accesshas been provided by the Information Commissioner’s Office (ICO).
Step-by-step Guide on how to deal with a request for information by the ICO.
Frequently Asked Questions on the Data Subject Access Requests by the Irish Data Protection Commission.

7 - Does your organisation offer online services directly to childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR] aged 13 or over?

Children, due to their nature and lack of maturity may be less aware of the risks, consequences and security when it comes to providing and protecting their personal data online, therefore a company that offers services to childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR] should be aware that they are taking a greater risk and should introduce even more specific and enhanced safeguards. The GDPR creates an additional layer of protection for all types of collection of personal data of childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR] regardless of its nature. Keep in mind that the age consideration to define “childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR]” is where the child is at least 16 years old, however, the GDPR leaves leeway for each European Member State to decide whether to lower the age to the minimum of 13 years old or somewhere in between [Art. 8 (2) GDPR.].” Additional useful resources, tools and further reading:
Further reading:

-Children’s Code hub is a set of resources that has been collated by the Information Commissioner’s Office (ICO).
-Age appropriate design: Code of practice for online services is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR], created by ICO. This Code aims to set a benchmark for the appropriate protection of childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR]s’ personal data and asks for controllers to build the standard into the design processes, upgrades and services’ development processes. It also includes a reference to a Data Processing Impact Assessment which can be used to record the process and result of the impact of an online service likely to be accessed by childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR].
-Children’s Fundamentals – A guide to protecting childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR]’s personal data published by the Irish Data Protection Commission (DPC)
-The rights of childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR] and young people on digital platforms has been created by the Swedish Authority for Privacy Protection and provides general support on data protection regulation for childrenChildren merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
[Recital (38) GDPR].

7B - Does your organisation collect the consentWhere the legal basis of consent is applied, meaning that no other legal basis is appropriate, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law, a lower age for those purposes - provided that such lower age is not below 13 years.
[Article 8 GDPR - Conditions applicable to child's consent in relation to information society services'] from the parent or from someone holding the parental responsibility for the child?

Where the child is below the age of 16 years, or a lower age provided by each Member State law, the processing of the personal data of a child being offered information society services is only lawful if the consent is given or authorised by the holder of parental responsibility over the child [Guidelines on Consent, p.24.]. Therefore, it is clear that receiving valid consent from parents is a crucial point when it comes to handling the personal data of children. If your company offers information society services directly to children, not having a procedure to collect parental consent will highly raise the risks to be sanctioned under the GDPR.
The administrative fines applicable in cases of violations to a data controller’s obligation to receive valid consent for processing children’s personal data may be up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In order to ensure that consent is obtained, where necessary, you will need to establish the age of the child with a level of certainty. The ICO has produced a Code of practice for age-appropriate design for online services which would ensure that the methods used is appropriate to the risks that arise from your data processing. Some methods to establish the age of the child include:

Self-declaration– Where a user simply states their age but does not provide any evidence to confirm it. It may be suitable for low-risk processing or when used in conjunction with other techniques. Even if you prefer to apply the standards in the code to all your users, self-declaration of age can provide a useful starting point when providing privacy information and age-appropriate explanations of processing.
Artificial intelligence– It may be possible to make an estimate of a user’s age by using artificial intelligence to analyse the way in which the user interacts with your service. Similarly, you could use this type of profiling to check that the way a user interacts with your service is consistent with their self-declared age. This technique will typically provide a greater level of certainty about the age of users with increased use of your service. If you choose to use this technique then you need to: i. tell users that you are going to do this upfront; ii. only collect the minimum amount of personal data that you need for this purpose; and iii. not use any personal data you collect for this purpose for other purposes.
Third party age verification services– You may choose to use a third-party service to provide you with an assurance of the age of your users. Such services typically work on an ‘attribute’ system where you request confirmation of a particular user attribute (in this case age or age range) and the service provides you with a ‘yes’ or ‘no’ answer. This method reduces the amount of personal data you need to collect yourself and may allow you to take advantage of technological expertise and latest developments in the field. If you use a third-party service you will need to carry out some due diligence checks to ensure that the level of certainty with which it confirms age is sufficient (PAS standard 1296 ‘Online age checking’ may help you with this), and that it is compliant with data protection requirements. You should also provide your users with clear information about the service you use.
Account holder confirmation- You may be able to rely upon confirmation of user age from an existing account holder who you know to be an adult. For example, if you provide a logged-in or subscription-based service, you may allow the main (confirmed adult) account holder to set up child profiles, restrict further access with a password or PIN, or simply confirm the age range of additional account users.
Technical measures– Technical measures which discourage false declarations of age, or identify and close underage accounts, may be useful to support or strengthen self-declaration mechanisms. Examples include neutral presentation of age declaration screens (rather than nudging towards the selection of certain ages), or preventing users from immediately resubmitting a new age if they are denied access to your service when they first self-declare their age.
Hard identifiers– You can confirm age using solutions which link back to formal identify documents or ‘hard identifiers’ such as a passport. However, we recommend that you avoid giving users only the choice of providing hard identifiers, unless the risks inherent in your processing really warrant such an approach. Some children do not have access to formal identity documents and may have limited parental support, making it difficult for them to access age verified services at all, even if they are age appropriate. Requiring hard identifiers may also have a disproportionate impact on the privacy of adults.

The administrative fines applicable in cases of violations to a data controller’s obligation to receive valid consent for processing children’s personal data may be up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Additional useful resources, tools and further reading:
Further reading:

Guidelines 05/2020 on Consent under Regulation 2016/679 Version 1.1, Adopted May 2020, pages 25-29.
Age appropriate design: code of practice for online services.
Guide on consent published by the Information Commissioner’s Office (ICO).

Self-declaration– Where a user simply states their age but does not provide any evidence to confirm it. It may be suitable for low-risk processing or when used in conjunction with other techniques. Even if you prefer to apply the standards in the code to all your users, self-declaration of age can provide a useful starting point when providing privacy information and age-appropriate explanations of processing.
Artificial intelligence– It may be possible to make an estimate of a user’s age by using artificial intelligence to analyse the way in which the user interacts with your service. Similarly, you could use this type of profiling to check that the way a user interacts with your service is consistent with their self-declared age. This technique will typically provide a greater level of certainty about the age of users with increased use of your service. If you choose to use this technique then you need to: i. tell users that you are going to do this upfront; ii. only collect the minimum amount of personal data that you need for this purpose; and iii. not use any personal data you collect for this purpose for other purposes.
Third party age verification services– You may choose to use a third-party service to provide you with an assurance of the age of your users. Such services typically work on an ‘attribute’ system where you request confirmation of a particular user attribute (in this case age or age range) and the service provides you with a ‘yes’ or ‘no’ answer. This method reduces the amount of personal data you need to collect yourself and may allow you to take advantage of technological expertise and latest developments in the field. If you use a third-party service you will need to carry out some due diligence checks to ensure that the level of certainty with which it confirms age is sufficient (PAS standard 1296 ‘Online age checking’ may help you with this), and that it is compliant with data protection requirements. You should also provide your users with clear information about the service you use.
Account holder confirmation- You may be able to rely upon confirmation of user age from an existing account holder who you know to be an adult. For example, if you provide a logged-in or subscription-based service, you may allow the main (confirmed adult) account holder to set up child profiles, restrict further access with a password or PIN, or simply confirm the age range of additional account users.
Technical measures– Technical measures which discourage false declarations of age, or identify and close underage accounts, may be useful to support or strengthen self-declaration mechanisms. Examples include neutral presentation of age declaration screens (rather than nudging towards the selection of certain ages), or preventing users from immediately resubmitting a new age if they are denied access to your service when they first self-declare their age.
Hard identifiers– You can confirm age using solutions which link back to formal identify documents or ‘hard identifiers’ such as a passport. However, we recommend that you avoid giving users only the choice of providing hard identifiers, unless the risks inherent in your processing really warrant such an approach. Some children do not have access to formal identity documents and may have limited parental support, making it difficult for them to access age verified services at all, even if they are age appropriate. Requiring hard identifiers may also have a disproportionate impact on the privacy of adults.

Guidelines 05/2020 on Consent under Regulation 2016/679 Version 1.1, Adopted May 2020, pages 25-29.
Age appropriate design: code of practice for online services.
Guide on consent published by the Information Commissioner’s Office (ICO).

8 - Does your organisation put in place any form of automated processing of personal data that involves the use of personal data to evaluate certain personal aspects relating to a natural person, such as to analyse or predict its personal preferences, interests, behaviour, etc. (i.e. profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR])?

Initially, the GDPR stipulates that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], which produces legal effects concerning him or her or similarly significantly affects him or her [Art. 22 (1) GDPR.]. Therefore, if you plan to conduct any automated individual decision-making (that produces legal effects to the data subject), the only way to do so is if the decision:

is necessary for entering into, or performance of, a contract between the data subject and a data controller; or
is authorised by European or Member State law to which the controller is subject to and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
is based on the data subject's explicit consent [Art. 22 (2) GDPR.].

If one of the above legitimate basis is used, as a controller, you must still implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention, to express his or her point of view, and to contest the decision (made through automated processing) [Art. 22 (3) GDPR.]. In short, this means that if you implement automated individual-decision making, the European legislators expect further rights to be available to data subjects. Please keep in mind that automated decision-making that involves special categories of personal data is only allowed if the controller has received explicit consent from the data subject, or if there is a substantial public interest to conduct such decision making. Naturally, the safeguards implemented (and mentioned later) must be more suitable, and of a higher level [Art. 22 (4) GDPR.].

So, what exactly are the elements to assess whether you are conducting automated decision-making? Overall, a decision based solely on automated processing means that there is no human involvement in the decision process.

However, pay attention to the fact that even if there is a routinely human involvement, but it does not actually influence the result of the automatic decision making, this can still be considered a decision based solely on automated processing. In short, if you are unsure of whether your processing qualifies as an automated processing, then, we recommend assessing whether any human involvement has a meaningful oversight, such as someone who has authority to change the decision, rather than a mere formality. For example, if a tool is implemented on roads in order to verify the speed limit of cars and marks them as above the speed limit, the decision of imposing a speeding fine will be solely based on automated decision making. Continuing with this scenario, if a policeman is involved merely to notify the speeding fines to the car driver and does not have the power to influence the decision itself, this cannot be considered human intervention for the purpose of Article 22.

Further, a decision based solely on automated processing needs to produce ‘legal’ or ‘similarly significant effects’, meaning that the decision must include serious impactful effects for a data subject, in order for it to be covered under this definition [Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679, pg. 21.]. On the one side, examples of this type of ‘legal’ effect may be something that affects a person’s legal status, or their rights under a contract, such as the termination of a contract, the entitlement / denial of a social benefit granted by law, etc. On the other side, other ‘similarly significant effects’ may also be sufficient to trigger the definition of automated decision-making, so long as such effects significantly affect the circumstances, behaviour or choices of the individuals concerned, and have a prolonged or permanent impact on the data subject. Examples of decisions that have ‘similarly significant effects’ may include intrusive profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], automatic refusal of an online credit application, e-recruiting practices without any human intervention, or decisions that affect someone’s access to health services, or to education (i.e., university admissions) [Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679, pg. 22.].

Automated decision-making may partially overlap with profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR]; since online advertising has increased reliance on automated tools. In many typical cases, the decision to present targeted advertising based on profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] will not have similarly significant effects on individuals (for example, an advertisement for an online shop based on simple demographic profile ‘woman, in Italy, aged between 20 and 30’). However, it is possible that profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] falls under the definition of automated decision-making if the particular case a) implies intrusive profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] process (i.e., tracking individuals across different websites, devices and services), or, b) includes an obvious advert delivery, using knowledge of the vulnerabilities of the data subjects targeted. Additionally, differential pricing based on profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] characteristics and behaviors of the user may also have ‘significant effects’, if that person is essentially limited from buying certain goods or services. Please note that if the profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] relates to social media profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] and / or targeting (such as by a social media provider) is likely to have a “similarly significant effect on a data subject”, Article 22 will be applicable. The EDPB highlights that this means the controller must, in each instance of targeting, conduct a case-by-case assessment to decide whether the profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] will similarly significantly affect a data subject with reference to the specific facts of the targeting [Guidelines 8/2020 on the targeting of social media users, Version 2.0, Adopted on 13 April 2021, pg.25.].
Therefore, automated decision-making may partially overlap with or result from profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR]. If you assess that the online social media targeting you are carrying out falls within the scope of Article 22 (meaning that targeting would have the potential to significantly and adversely affect a data subject), then one of the legal basis outlined above would be required [Guidelines 8/2020 on the targeting of social media users, Version 2.0, Adopted on 13 April 2021, pg.26.]. .

All in all, where the decision stemming from profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] activity is solely based on automated decision-making, and it produces legal effects, or similarly significant effects, then the profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] is also an automated decision-making processing.

As a controller, you may carry out profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] and automated decision-making so long as you respect all the principles and have a proper legal basis for the processing. A key accountability tool is the Data Protection Impact Assessment, since automated decision-making activities may often lead to high risks for the data subjects. Carrying out a DPIA will both enable you to assess the risks of the processing activity, as well as demonstrate that you have put in place appropriate measures to address those risks [Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679, pg. 29.] . Furthermore, Article 35(3) GDPR describes that a processing activity likely to result in high risks includes a systematic and extensive evaluation of personal aspects which is based on automated decision-making, including profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR]. Therefore it is highly recommended that you carry out a DPIA, but if you decide not to, please check whether automated decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] fall within the activities that must mandatorily carry out a DPIA, which are available here but also in the designated national supervisory authority’s website. In addition, when it comes to solely automated decision-making, including profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], you must apply additional safeguards for all the general principles of the GDPR, such as:

while providing data protection related information to the data subject (i.e., in the privacy policy), you must additionally provide meaningful information about the logic involved in the automated decision making, as well as the significance and envisaged consequences of such processing for data subjects, for example, how the automated decision-making process is built and how it is used for a decision concerning the data subject [Art. 13 (2) (f) GDPR.] ;
providing the right to object to the automated processing has to be explicitly mentioned to the data subject, presented clearly and separately from other information [Art. 21 (4) GDPR.].

Automated processing of personal data allows you to have a structured understanding of your data subjects that may be exploited in several ways, therefore the GDPR requires that automated processing should be accompanied by appropriate safeguards. Below you can find a list drafted by the European Data Protection Board (also known as Working Party 29), which has attempted to offer some good practice recommendations for controllers’ safeguards [Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679, pg. 32.]:

quality checks of systems, regularly, to ensure that individuals are treated fairly;
algorithmic auditing, by testing the algorithms used and developed by machine learning systems, to check their performance;
incorporating data minimisation in the automated processes, by identifying clear retention periods for profiles and any other personal data used;
implementing anonymisation or pseudonymisation techniques in the context of profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR];

The creation of a mechanism where data subjects can request human intervention when they are affected by a decision that is solely based on automated processing (i.e., providing an appeal process). For example, if you receive an e-mail that informs you of an automated decision made using your personal data, in the footer of this e-mail it should be notified that this decision was taken in this way, and also offering a link usable to request a human intervention to be involved in this decision.

Additional useful resources, tools and further reading:
Further reading:

Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679.

If you plan to conduct any automated individual decision-making (that produces legal effects to the data subject), the only way to do so is if the decision:

is necessary for entering into, or performance of, a contract between the data subject and a data controller; or
is authorised by European or Member State law to which the controller is subject to and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
is based on the data subject's explicit consent[Art. 22 (2) GDPR].

So, what exactly are the elements to assess whether you are conducting automated decision-making? Overall, a decision based solely on automated processing means that there is no human involvement< in the decision process.
However, if you are unsure of whether your processing qualifies as an automated processing, then, we recommend assessing whether any human involvement has a meaningful oversight, such as someone who has authority to change the decision, rather than a mere formality. For example, if a tool is implemented on roads in order to verify the speed limit of cars and marks them as above the speed limit, the decision of imposing a speeding fine will be solely based on automated decision making. Continuing with this scenario, if a policeman is involved merely to notify the speeding fines to the car driver and does not have the power to influence the decision itself, this cannot be considered human intervention for the purpose of Article 22.
Further, a decision based solely on automated processing needs to produce ‘legal’ or ‘similarly significant effects’, meaning that the decision must include serious impactful effects for a data subject, in order for it to be covered under this definition [Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679, pg. 21.].
On the one side, examples of this type of ‘legal’ effect may be something that affects a person’s legal status, or their rights under a contract, such as the termination of a contract, the entitlement / denial of a social benefit granted by law, etc. On the other side, other ‘similarly significant effects’ may also be sufficient to trigger the definition of automated decision-making, so long as such effects significantly affect the circumstances, behaviour or choices of the individuals concerned, and have a prolonged or permanent impact on the data subject. Examples of decisions that have ‘similarly significant effects’ may include intrusive profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], automatic refusal of an online credit application, e-recruiting practices without any human intervention, or decisions that affect someone’s access to health services, or to education (i.e., university admissions) [Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679, pg. 22.].
Automated decision-making may partially overlap with profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR]; since online advertising has increased reliance on automated tools. In many typical cases, the decision to present targeted advertising based on profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] will not have similarly significant effects on individuals (for example, an advertisement for an online shop based on simple demographic profile ‘woman, in Italy, aged between 20 and 30’). However, it is possible that profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] falls under the definition of automated decision-making if the particular case a) implies intrusive profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] process (i.e., tracking individuals across different websites, devices and services), or, b) includes an obvious advert delivery, using knowledge of the vulnerabilities of the data subjects targeted. Additionally, differential pricing based on profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] characteristics and behaviours of the user may also have ‘significant effects’, if that person is essentially limited from buying certain goods or services. Please note that if the profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] relates to social media profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] and / or targeting (such as by a social media provider) is likely to have a “similarly significant effect on a data subject”, Article 22 will be applicable. The EDPB highlights that this means the controller must, in each instance of targeting, conduct a case-by-case assessment to decide whether the profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] will similarly significantly affect a data subject with reference to the specific facts of the targeting [Guidelines 8/2020 on the targeting of social media users, Version 2.0, Adopted on 13 April 2021, pg.25.].
Therefore, automated decision-making may partially overlap with or result from profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR]. If you assess that the online social media targeting you are carrying out falls within the scope of Article 22 (meaning that targeting would have the potential to significantly and adversely affect a data subject), then one of the legal basis outlined above would be required [Guidelines 8/2020 on the targeting of social media users, Version 2.0, Adopted on 13 April 2021, pg.26.].
All in all, where the decision stemming from profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] activity is solely based on automated decision-making, and it produces legal effects, or similarly significant effects, then the profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR] is also an automated decision-making processing. Additional useful resources, tools and further reading:
Further reading:

Guidelines on Automated individual decision-making and profilingThe GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals (i.e., about their personal preferences, interests, reliability, etc.). The use of the word ‘evaluating’ suggests that profiling involves some form of assessment or judgement about a person.
[Art. 4 (4) GDPR], for the purposes of Regulation 2016/679.

9 - Does your organisation transfer data outside the EUWhen personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by the GDPR should not be undermined, including in cases of onward transfers of personal data from the third country or international organization to controllers, processors in the same or another third country or international organization. In any event, transfers to third countries and international organisations may only be carried out in full compliance with the Regulation.
[Art. 46 GDPR]?

Any transfers of personal data outside the European Union should always be made with caution, because the GDPR only allows for such transfers under a strict lawfulness mechanism stipulated in the GDPR to ensure that the transfer is subject to appropriate safeguards. The first step is to identify, as an exporter, the transfers of personal data outside of the EEA and secondly verify the corresponding transfer mechanism that the transfer will be relied on. Knowing your transfers means recording and mapping them, and understanding your processors and sub-processors. A good practice is to build on the records of processing activities (if you are obliged to maintain them) and include the transfers of data. Also map further or onward transfers (for instance whether your processors outside the EEA transfer your personal data to a sub-processor in another third country). Please be aware that remote access from a third country or cloud storage in a cloud situated outside the EEA is also considered a transfer.

The second step is to identify the transfer tools you will rely on. Firstly, check the European Commission’s adequacy decisions (Article 45 GDPR), which at the moment only offer safeguards for a small portion of non-EU countries. The existence of an adequacy decision means you’re your company can transfer to that country without any specific authorisation or extra safeguards than those implemented for transfers within the European Union. You may find a list of the adequacy decisions here. If you rely on an adequacy decision, you do not need to take into consideration the below safeguards.
However, for the majority of the cases, there is an absence of an adequacy decision; which means that as a controller or processor, you may only transfer personal data if you have provided appropriate safeguards to ensure the availability of rights and legal remedies for data subjects (Article 46 GDPR). Below are some tools that the GDPR offers to provide such safeguards:

Standard data protection clauses adopted by the Commission, which are probably the most common way of transferring personal data outside the European and are stipulated in Article 46 GDPR. These clauses are model clauses that give the necessary mandate and ensures that safeguards will be implemented in the transfers. It is the most preferred method of legally transferring personal data to non-EU countries because these model clauses can be attached to any contractual agreement or data protection agreement that is to be signed between the exporter (company sending the personal data) and the importer (company receiving the personal data). The final working document of the Standard Contractual Clauses (SCCs) was published on June 4th 2021, and will enter into force twenty days after the publication in the Official Journal of the European Union. The old version of the Standard Contractual Clauses which have been relied on by companies until 2021 will be repealed three months after the new SCCs enter into force. This means that if your company enters into new contracts with non-EU processors after the old SCCs were repealed, you must use the new SCCs. If your company concluded a contract including the old SCCs prior to the date of their repeal, it will be a valid transfer mechanism for 15 months following the date of their repeal. In short, approximately within the transition period of 18 months, you must substitute the old SCCs with the new version published in 2021. companies who transfer personal data to non-EU.
Codes of conduct, which have been approved by the competent supervisory authority (meaning, the supervisory authority that is on the territory of the main establishments of your company) – this may soon be available due to the efforts of Digital SME. If you comply with a code of conduct, you shall still have binding and enforceable commitments from the controller or processor in the non-EU country, in order to ensure that the appropriate safeguards are applied equally to their operations. In fact, on May 19th 2021 the Belgian Data Protection Authority approved the first transnational code of conduct adopted within the EU since the GDPR entered into force, namely, the EU Data Protection Code of Conduct for Cloud Service Providers.
Certification mechanisms, which have been approved by the competent supervisory authority (meaning, the supervisory authority that is on the territory of the main establishments of your company). If you comply with a certification mechanism, you shall still have binding and enforceable commitments from the controller or processor in the non-EU country, in order to ensure that the appropriate safeguards are applied equally to their operations.
Binding Corporate Rules (also known as “BCRs”), is a transfer mechanism that may not be easily applicable to SMEs since it mostly applies to group of undertakings or enterprises that are engaged in a joint economic activity ( Article 47 GDPR). However, if this is applicable to you, the Binding Corporate Rules are an internal binding contract for the purpose of ensuring that all data transfers within a corporate group are on an adequate level of protection, and must contain both privacy principles (i.e., transparency, data minimisation, purpose limitation) and tools of effectiveness (i.e., audit, training, or complaint handling systems) of the agreement The EDPB also provides a list of the BCRs approved under the GDPR..
In the absence of any of the above safeguards for transfers, there are specific derogations that may allow you to continue transferring the personal data to a third country; for example:
- if the data subject has explicitly consented to the proposed transfer (after having been informed of possible risks), or
- if the transfer is based on the performance of a contract at the data subject’s request, or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject, or
- the transfer is necessary for important reasons of public interest, or
- for the establishment, exercise or defence of legal claims, or
- if the transfer is necessary to protect the vital interest of the data subject or of other persons, or
- if the transfer is made from a register which according to Union or Member State law is intended to provide information to the public [Article 49 GDPR].

The third step is to assess the circumstances of the transfer and the effectiveness of the transfer tool you chose. Depending on the result of this assessment, it may be necessary to implement additional measures to ensure an equivalent level of protection to that of within the EEA. Therefore, you must assess, with the collaboration of the importer, any aspects of the law or practice in the third country to which you are transferring personal data that hinder the effectiveness of the transfer tool you rely on. This assessment must take into consideration, for example,

all actors participating in the transfer (controllers, processors, sub-processors processing data in the third country)
any onward transfers that may occur
the domestic legal order of the country to which the data is transferred (or onward transferred),
the applicable legal context will depend on the circumstances of the transfer, in particular:

the purposes for which the data are transferred (e.g., marketing, HR, storage, IT support, etc.)
types of entities involved in the processing (public/private, controller/processor, etc.)
sector in which the transfer occurs (e.g., adtech, telecommunication, financial, etc.)
categories of personal data transferred
storage in third country or mere remote access to data storage within EU/EEA
format of data to be transferred (will it be in plain text, pseudonymised or encrypted?)
possibility that the data may be onward transferred.

Assess whether the applicable laws:

impinge on the commitments to enable data subject rights in the context of international transfers, or in their fundamental rights, especially the right of redress in case of access by third country public authorities to the transferred data;
require the disclosure of personal data to public authorities or granting such public authorities powers to access personal data (in the context of criminal law enforcement, regulatory supervision and national security purposes;
have a legal system that respect the rule of law, for example ensuring that there are available mechanisms for individuals to obtain (judicial) redress against unlawful government access to personal data;
have a comprehensive data protection law or independent data protection authority.

The fourth step is reliant on the result of the third step above. If your assessment under step 3 reveals that the transfer tool is not effective due to the specific circumstances of the third country which the personal data is being transferred you will need to consider additional “supplementary measures” in order to ensure an essentially equivalent level of protection [C-311/18 (Schrems II), paragraphs 130 and 133.]. These supplementary measures will need to be identified on a case-by-case basis. The nature of the supplementary measures may be contractual, technical, organizational or a combination. The EDPB has provided a list of non-exhaustive technical, contractual and organizational measures in Annex 2 of the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which you can assess and consider.
Lastly, you must monitor the developments in a third country to which you transferred personal data in order to check whether your initial assessment and decision on the level of protection has been affected or not. Additional useful resources, tools and further reading:
Further reading:

EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Adopted on 10 November 2020.

10 - Does your company provide employees who carry out data processing activities on your behalf with written instructions (i.e. authorisation to processing of personal dataThe processor and any person acting under the authority of the controller or of the processor (i.e., employees or regular collaborators / partners who are acting only on behalf of your organisation), who has access or process to personal data.
[Article 29 GDPR – Processing under the authority of the controller or processor]) or training sessions on how to process personal data?

11 - Does your organisation use suppliers who process personal data on behalf of the organisationSuppliers can consist of any natural or legal person, or other body, which processes personal data on behalf of the controller. This means that they do not process personal data for their own purposes but only for the purposes you, as a controller, have determined.
[Art. 4(8) GDPR.] ?

11B - Does your organisation provide your suppliers with Data Processing AgreementsProcessing by a processor must be governed by a contract, which binds the processor with the instructions of the controller and is specifically tackling the data processing operations.
[Art. 27 (3) GDPR]?

As a data controller, you are responsible for the personal data you collect and process – as well as the data that is processed by your chosen data processors. Not having entered into any form of contractual agreements with your processors increases your exposure to sanctions of the GDPR.

We recommend ensuring that you enter into a contract with your processors, under the title of a Data Processing Agreement, which will strictly handle data protection matters and clearly stipulate the instructions of the controller towards the processor. A standard Data Protection Agreement must at least include:

the subject-matter and duration of the processing;
the nature and purpose of the processing;
the type of personal data;
the categories of data subjects;
the obligations and rights of the data controller against the data processor [Article 28 (3) GDPR] .

We also suggest keeping an organised archive of the signed DPAs between you as a data controller and your suppliers or service providers as data processors, in order to be able to easily and quickly provide them to the supervisory authority should an investigation arise.
Please mind that violations to controller obligations, such as not properly defining data processors by signing a legally binding contract (or other appropriate legal act) with them, may be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [Article 83 (4) (a)] .

Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

The gdpr.eu project is a project funded by the European Union Horizon 2020 and provides many useful resources for organisations and individuals researching the General Data Protection Regulation. It provides information to help organisations achieve GDPR compliance, including different templates, such as the template for a Data Processing Agreement. This template provides a starting point from which your organisation can start in order to create a standard Data Processing Agreement. Your organization can rely on this template, however, you should enhance and complete it, where necessary, with the details of the nature and purpose of the processing, as well as the type of personal data and categories of data subjects.

Further reading:

the subject-matter and duration of the processing;
the nature and purpose of the processing;
the type of personal data;
the categories of data subjects;
the obligations and rights of the data controller against the data processor [Article 28 (3) GDPR] .

Please mind that violations to controller obligations, such as not properly defining data processors by signing a legally binding contract (or other appropriate legal act) with them, may be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [Article 83 (4) (a)] .
Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

The gdpr.eu project is a project funded by the European Union Horizon 2020 and provides many useful resources for organisations and individuals researching the General Data Protection Regulation. It provides information to help organisations achieve GDPR compliance, including different templates, such as the template for a Data Processing Agreement. This template provides a starting point from which your organisation can start in order to create a standard Data Processing Agreement. Your organization can rely on this template, however, you should enhance and complete it, where necessary, with the details of the nature and purpose of the processing, as well as the type of personal data and categories of data subjects.

Further reading:

12 - Have you identified whether the appointment of a Data Protection Officer is mandatoryThe controller and the processor shall designate a data protection officer in any case where:
(1) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(2) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 GDPR and personal data relating to criminal convictions and offences referred to in Article 10 GDPR.
[Article 37 GDPR - Designation of the data protection officer] for your organisation?

Your company should at least identify whether having a Data Protection Officer is mandatoryThe controller and the processor shall designate a data protection officer in any case where:
(1) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(2) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 GDPR and personal data relating to criminal convictions and offences referred to in Article 10 GDPR.
[Article 37 GDPR - Designation of the data protection officer] or not, seeing as even some SMEs may need to appoint a DPO due to the large-scale processing that they conduct. You will need to designate a data protection officer if [Article 37 (1) GDPR]:

your core activities consist of processing personal data, meaning that regular and systematic monitoring of data subjects is implemented; or
the core activities consist of processing of special categories of personal data, on a large scale.

Core activities are the key processing activities to achieve your objectives, for example processing health data can be considered as one of any hospital’s core activities. On the opposite side are supporting activities, for example IT support, or paying employees, are not considered as core activities for an organization.
In order to establish a processing as “large scale” you needs to consider the factors like:

The number of data subjects – either a specific number or as a proportion of the relevant population;
The volume of data and / or the range of different data items being processed;
The duration, or permanence, of the data processing activity;
The geographical scope of the processing activity.

For example, large scale processing ,may include the processing of real time geolocation data of customers, processing customer data in the course of business of an insurance company or a bank, processing personal data for behavioural advertising by a search engine or a social media platform. Processing patient data by a single doctor or physician, or processing personal data relating to criminal convictions and offences by a single lawyer.
Lastly, regular and systematic monitoring includes every form of tracking and profiling online (e.g., behavioural advertising). Some examples of activities that are included in this type of processing are data-driven marketing activities, profiling and scoring for purposes of risk assessment (e.g., for purposes of credit scoring, insurance premiums, fraud prevention), location tracking by mobile apps, monitoring wellness, fitness and health data via wearables, CCTVs, connected devices (e.g., smart meters, smart cars, home automation, etc.).
Overall, the Article 29 Working Party considers ‘regular’ processing to be one or more of the following:

ongoing or occurring at particular intervals for a particular period;
recurring or repeated at fixed times;
constantly or periodically taking place.

While the word ‘systematic’ means one or more of the following:

occurring according to a system;
pre-arranged, organised or methodical;
taking place as part of a general plan for data collection;
carried out as part of a strategy.

Additional useful resources, tools and further reading:
Further reading:

13 - Have you carried out a risk assessment for the processing activities that you conduct; and subsequently have you implemented appropriate technical and organisational measuresThe controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, by taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
[Article 24 - Responsibility of the controller] to ensure and be able to demonstrate that your organisation processes personal data in accordance with GDPR?

The risk-based approach that the GDPR has implemented requires all companies evaluate what the risk of each processing activity is, before the processing activity is carried out – that way the company can implement the appropriate technical and organisational measuresThe controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, by taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
[Article 24 - Responsibility of the controller] to ensure a level of security appropriate to the risk. The important note for the evaluation of the risk is not only that it indeed occurs but that the company is also able to demonstrate that it has occurred.

Therefore, our practical recommendation is to conduct a risk assessment when you are mapping your processing activities. Furthermore, making a document that describes how the risk assessments are done, for the reason of being able to show the logic in cases of investigations. Additionally, you can make an internal document that describes the security measures that are implemented depending on the risk of the processing activity. Having the document on security measures can also serve helpful for when getting in contact with processors who will need to process personal data on your behalf
– since you can immediately provide the security standards you expect from them.

Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

ENISA’s risk assessment tool for carrying out risk assessments aims to guide SMEs through their specific data processing activities and help them evaluate the relevant security risks. This tool builds on the existing tools that exist, such as the CNIL’s methodology for privacy risk management, ENISA’s recommendations for a methodology of the assessment of severity of personal data breaches and ENISA’s Risk Management and Risk Assessment for SMEs pilot study.
ENISA's self assessment of the implemented security measures, helps to assess the risk level for a given processing activity and the appropriate security measures taken. This secondary tool can be used as a method of identifying whether the security measures are adequate and to check the status of their implementation..
An online tool for cybersecurity in hospitals produced by ENISA. The aim is to help healthcare organisations to quickly identify the most relevant guidelines (such as assets procured or related threats) and promote the importance of a good procurement process to ensure appropriate security measures. .

Cyberwatching.eu has identified a list of solutions that are provided from cybersecurity projects, which can increase the level of compliance with the GDPR, of SMEs or other companies. We have analysed a few projects that we would recommend can be used in order for your organisation to demonstrate technical and organisational measuresThe controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, by taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
[Article 24 - Responsibility of the controller] taken. Please note that some of these projects may not be directly applicable to you and may be specific to a sector in the wider market.

Consider that, nowadays, having GPDR measures will add value to your services. The controller has to demonstrate that he works with providers that they respect the GDPR – therefore if you are able to guarantee this, then your services will be more valuable.

CREDENTIAL is a Secure Cloud Identity Wallet, which provides end-to-end secure and privacy-preserving platform for managing and storing users’ digital identity information, ranging from authentication credentials over medical reports to tax data or similar. This solution uses cryptographic mechanisms, as well as determining which of their data goes where. If your SME involves data sharing services, this software may be leveraged as a way to extend your portfolio with privacy enhanced and authenticity.
WITDOM’s data masking component an be utilised as a security measures for sharing data or for storing data in non-trusted environments. Based on the description given by the WITDOM project, it classifies sensitive data as a direct identifier and instead masks it through a process that creates service-and-user specific tokens that can be updated over time. The Article 29 Working Party has identified three different criteria in order to ensure anonymisation, linkability, singling out and inference. This product satisfies the first requirement, as well as the requirement of irreversibility. As a result, the two requirements of singling out and inference are not fulfilled and therefore this product does not offer anonymisation. Nevertheless, pseudonymisation or masking can be an appropriate security measure to implement – especially if the personal data is in an untrusted environment. Therefore, we would recommend WITDOM’s data masking component as a security measure..
The DEFeND project provides an innovative data privacy governance platform which supports healthcare organizations towards GDPR compliance using advanced modelling languages and methodologies for privacy-by-design and data protection management. Specific innovations of the project include: the development of advanced modelling languages and methodologies for privacy-by-design and data protection management; automated methods and techniques to elicit, map and analyse data that organizations hold for individuals; integrated encryption and anonymisation solutions for GDPR; methods and automation techniques for the specification, management and enforcement of personal data consent; a modular solution that covers different aspects of GDPR..
The PANACEA project has developed, with three European Healthcare Centres, a people-centric toolkit of nine tools, to assess and improve the cybersecurity readiness of healthcare socio-technical systems (ICT, networked medical devices, staff) and of medical device/system lifecycles..
SUNFISH platform(Secure Data sharing platform) provides technical tools to ensure compliance with the EU GDPR. SUNFISH integrates its data security components with Data Masking services to support only authorised access to the masking/unmasking services, and masked data..
nVision10produced by Axence, an SME that provides professional solutions for the comprehensive management of IT infrastructure for companies and institutions .

14 - Have you identified the processing activities subject to a Data Protection Impact AssessmentWhere a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
[Article 35 – Data Protection Impact Assessment]?

15 - Have you assessed whether your organisation is obliged to keep records of processing activitiesPursuant to Article 30 (5) GDPR, an organisation employing fewer than 250 persons is not obliged to keep records of processing activities, "unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10".
[Art. 30 (5) GDPR]?

15B - If you have assessed it and you are obliged to keep the records of processing activities, have you already filled out the records?

16 - Has your organisation developed a personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. management procedure that includes the related notifications In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
[Article 33 GDPR - Notification of a personal data breach to the supervisory authority] and communications When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
[Article 34 - Communication of a personal data breach to the data subject]?

Since you have already developed a personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. management procedure it is recommended that you make sure to keep track of any incidents that have occurred (even those that you have labelled as not personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es) and the mitigating actions taken or notifications In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
[Article 33 GDPR - Notification of a personal data breach to the supervisory authority] sent to the supervisory authority or data subjects, through for a register of personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es. It is also suggested that you harmonise and possibly integrate the data breach procedure with any eventual cybersecurity incident handling procedure. Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data security”) by the Irish Data Protection Commission.
GuardYoois an automated compromise assessment platform developed by an SME. Based on the information provided, it is a solution for forensics analysis of the network, and it seems to deliver an audit relatively shortly, within 1 week, in comparison to how long it would take for a consulting team to carry it out (4-8 weeks), it is still not considered GDPR compliant. In order to ensure that a personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. is detected as soon as possible it would need to immediately alert of such event. However, this may be unrealistic a therefore, this tool can act as a preventative – bird-eye vision of the network. However, there would need to be another system in place in order to ensure that the personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. is detected as soon as possible and communicated to the supervisory authority or the data subjects (should there be a high risk to the data subject) within 72 hours.

It is needless to say that when a data breach occurs, it is not a moment where a company can improvise its reaction, therefore, it is of extreme importance to have it figured out before it actually happens. The GDPR gives the timeline of notifying the supervisory authority of the data breach within 72 hours, unless the personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. is unlikely to result in a risk to the rights and freedoms of the data subjects. For these reasons you need to have protocol, or a procedure determined in order to recognises when a data breach has occurred, how it will be recognised, how the company will react to it, and who will be involved in these steps. The answers to the above questions will result to a procedure on data breach management.

In defining a procedure on data breach management, we suggest taking into consideration the evaluation of the likelihood that the breach results in risks to the rights and freedoms of the data subjects by applying:

the accountability principle set forth in the GDPR in order to be able to demonstrate the responsiveness and actions taken as a result of a personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. to the supervisory authority, by at least documenting any personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es and subsequent actions including: a) the facts relating to the personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. , b) its effects to data subjects and, c) the remedial action taken[Guidelines on Personal data breach notification under Regulation ].
the methodology provided by the European Agency for Network and Information Security (ENISA) to assess the severity of personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es by taking into account:
1. the data processing context, i.e., the type of data breached, and the overall processing operation,
2. the ease of identification of the data subjects from the data involved in the breach,
3. the specific circumstances of the breach, for example, whether it is a loss of confidentiality, or any malicious intent that may be involved [Recommendations for a methodology of the assessment of severity of personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es].

In addition to notifying the supervisory authority, according to Article 34(1) of the GDPR, the data controller is also required to communicate a breach to the affected individuals, “when the personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. is likely to result in a high risk to the rights and freedoms of natural persons”. The communication should be done as soon as possible (namely “without undue delay”) and aims to provide individuals with specific information about the steps they should take to protect themselves. This could also be done by providing specific advice to individuals to protect themselves from adverse consequences of the breach (for instance, resetting passwords). Furthermore, breaches should be communicated to the concerned individuals directly with dedicated and transparent methods of communication which can ensure individuals understand the information being provided to them (e.g., email, SMS or prominent website banners in relevant languages).

Notification to individuals is not required when:

the controller has applied appropriate technical and organisational measures to protect personal data prior to the breach (such as state-of-art encryption);
immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise;
it would involve disproportionate effort to contact individuals.

It is recommended that you make sure to keep track of any incidents that have occurred (even those that you have labelled as not personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es) and the mitigating actions taken or notifications In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
[Article 33 GDPR - Notification of a personal data breach to the supervisory authority] sent to the supervisory authority or data subjects, through for a register of personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es. It is also suggested that you harmonise and possibly integrate the data breach procedure with any eventual cybersecurity incident handling procedure.

If controllers fail to notify the data breach to the supervisory authority or to communicate it to the data subjects (infringement of Articles 33 and 34 of the GDPR), the supervisory authority will have the possibility to issue administrative fines, whose value can be up to 10 000 000 EUR or up to 2 % of total worldwide annual turnover (Article 83 (4)(a)). Nevertheless, where the failure to notify a breach reveals an absence or inadequacy of existing security measures, the supervisory authority may also issue sanctions for the infringement of Article 32 of the GDPR. Additional useful resources, tools and further reading:
Resources, Tools & Solutions:

Self assessment checklist for GDPR Readiness Checklist Tool on legal basis (click on “data security”) by the Irish Data Protection Commission.
The Data breach notification tooldeveloped by the Italian Garante.
Fitsec Ltd is a Finnish cyber security company that offers cybersecurity services, including the Asset tracker which can be found in Cyberwatching.eu’s Marketplace. The Asset tracker assists organisations in detecting their data leaks. Specifically, this service enables them to track personal data of an organisation and check if the data has leaked to the internet. Tracking this information for an organisation that handle personal data enables the organisation not only to have a quick response to the Supervisory Authority (within 72 hours of the personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. ) but it also helps minimize the risks to the data subjects. In addition, the SME can help isolate and fix weaknesses in the organisation’s security in order to ensure that the security gap has been adequately filled. The service also helps organizations to fulfil the requirement of notifying affected parties in the event of a data breach, as outlined in the GDPR. Assets, or information related to the organization can be for example: email addresses, IP addresses, domain names or payment card information. The service is easy to use and does not require any installations in your environment. From the easy-to-use web interface, you can see the assets being monitored, add new assets to be monitored and analyse any matches that have been found. All findings are reported to you in whatever way you desire.
GuardYoois an automated compromise assessment platform developed by an SME. Based on the information provided, it is a solution for forensics analysis of the network, and it seems to deliver an audit relatively shortly, within 1 week, in comparison to how long it would take for a consulting team to carry it out (4-8 weeks), it is still not considered GDPR compliant. In order to ensure that a personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. is detected as soon as possible it would need to immediately alert of such event. However, this may be unrealistic a therefore, this tool can act as a preventative – bird-eye vision of the network. However, there would need to be another system in place in order to ensure that the personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. is detected as soon as possible and communicated to the supervisory authority or the data subjects (should there be a high risk to the data subject) within 72 hours.

Further reading:

Recommendations for a methodology of the assessment of severity of personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. es, developed by ENISA, Greek and German Data Protection Authority.
Guide on personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. management and notificationdeveloped by Spanish Data Protection Authority (AEPD).
72 hours how to respond to a personal data breachPursuant to Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. – a simple guide for small companies by the UK Information Commissioner’s Office (ICO).

Cancel