Expert Advice Community

Guest

Maintaining GDPR documentation

  Quote
Guest
Guest user Created:   Jan 25, 2019 Last commented:   Jan 25, 2019

Maintaining GDPR documentation

1. My company intends to use a list of customers' personal data to create custom audiences on Facebook. We would need to conduct the DPIA and the Inventory of Processing Activities, correct?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Jan 25, 2019

Answer: You would need an Inventory of Processing Activities only if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation); or (e) the processing includes personal data relating to criminal convictions and offenses.
A DPIA is necessary only if the type of processing is likely to result in a high risk to the rig hts and freedoms of individuals. To assess whether something is ‘high risk’, the GDPR is clear that you need to consider both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than a remote chance of some harm. The DPIA Register in the EU GDPR Documentation Toolkit has the first questions set up as threshold questions. If your answer to any of those questions is "Yes", then you need a DPIA.

2. Do we have to always perform both of these activities every time we use the customers' data? Does this only apply to customer's data that resides in EU?

Answer: No, you just need to do it once as long as the processing stays the same. It should only be undertaken if the personal data processed is of data subjects in the Union.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 25, 2019

Jan 25, 2019

Suggested Topics

Guest user Created:   Jul 04, 2022 EU GDPR
Replies: 1
0 0

GDPR intermediary

Guest user Created:   Jun 30, 2022 EU GDPR
Replies: 1
0 0

Laboratory space

Guest user Created:   Jun 22, 2022 EU GDPR
Replies: 1
0 0

Doubts about ODPR or GDPR