Privacy questions

1. Are there any available GDPR certifications?

So far there are no certifications available in the sense of art. 40 of the GDPR. However, you need to keep an eye on the Supervisory Authorities websites and see if there is any news since is the Supervisory Authorities that need to endorse such certifications.

2. How do I start with mapping my processing activities?

My suggestion is to have a process-based approach. For example, you can split HR activities into several processes such as recruitment, on-boarding, etc. and record these into your Records of processing.

You can find readily available Inventories of processing activities in this "EU GDPR Data Mapping & DPIA Toolkit" (https://advisera.com/eugdpracademy/eu-gdpr-data-mapping-dpia-toolkit/).

3. Is there any video surveillance policy available in the toolkits?

No, unfortunately not. However, you do not necessarily need one if you provide adequate privacy notice and explain the extent of the video monitoring and the purposes.

4. I am negotiating with a Data Processing Contract with an insurance company. Are these companies controllers or processors?

Usually, Insurance companies act as independent data controllers so you would need Controller to Controller Clauses in place.

5. How can I best present a privacy notice? Do clients need to sign the notice?

Some of the best way to present a privacy notice are:

• Layering - Provide the individual with a short summary of the important or unusual uses of their personal data and provide a link to a full privacy policy for those who want the detail
• Just in time - Consider using additional notices for particular interactions with the individual. For example, if signing up for a new service means their personal data will be processed for additional purposes.