Purpose of a company´s Data Protection Policy
Which of the following is the purpose of a company´s Data Protection Policy?
- A Data Protection Policy allows the company to guide its employees on key aspects of GDPR that are applicable to the company.
- A Data Protection Policy allows the company to demonstrate transparency towards its clients.
- A Data Protection Policy allows the company to formulate data protection principles in line with the GDPR.
- All of the above.
I picked the ‘first answer’ during the exam because as stated in the course material practice exam p.64 ‘A Data Protection Policy is defined by the company to provide its employees with a relevant interpretation of GDPR in the context of the company’. The second answers ‘demonstrate transparency towards its clients’ is incorrect because Data Protection Policy is an internal document (course material p.62) and demonstrate transparency towards its client is the purpose of Privacy Notice (course material Module 3 p.17) not Data Protection Policy. The third answer is somewhat correct according to course material p.62 but not totally as the company is not formulating new principles in line with GDPR, it is applying already existed GDPR principles (requirements) to the company’s processing activities. But again there wasn’t an option in the exam for me to pick 2 right answers.
Could you please confirm the intent of this question? Or if it was a technical error on the exam question setup to pick more than 1 answer?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The right answer is "d. All of the above" because Data protection policy allows a company to guide its employees on key aspects of GDPR by establishing its principles in line with the GDPR and it is a key component of the accountability principle.
GDPR structure establishes principles on how organizations must process personal data, such principles must be adapted by each organization to their own data processing activity.
Answer c does not imply that the company formulates "new" principles, as principles are inside the GDPR. It implies that principles in line with GDPR are formulated into company principles to adapt to concrete company data processing.
I.e. GDPR does not say company how long to store collected data, it establishes the principle of minimization of processing. In the Data Protection Policy, however, the company must set a principle to help employees to deal with this principle. The company may establish that collected CVs from job applicants are deleted as soon as the job position has been covered. From this principle comes the rule to HR department "delete every CV you received as soon as the selected candidates start working and no later than the trial period ends." Therefore, in this example, there is a GDPR principle (data minimization), a company principle (collected CVs must be deleted) and a rule for the HR department.
In other words, Data protection policy explains how employees and company will process data and, though it is not directed to customer, it helps Supervisory Authority to verify that anything is declared in the Privacy policy (i.e. how data are processed) is coherent with principles and instruction given to employees, and with the internal company interpretation of GDPR. This is why the correct answer is d. All of the above.
For more information, see the following article:
Comment as guest or Sign in
Mar 23, 2020