Flowcharts and Checklists

on Data Protection
 © European Union 2020

Reproduction is authorised provided the source is acknowledged.

PDF ISBN 978-92-9242-461-9 doi: 10.2804/823679 QT-02-20-505-EN-C

PRINT ISBN 978-92-9242-462-6 doi: 10.2804/912368 QT-02-20-505-EN-N
 Table of Contents
Flowchart: are you a processor, controller or joint controller? ............................... 3
Checklist 1: What are the duties of the controller? ..................................................... 4
Checklist 2: What are the duties of the processor? ..................................................... 7
Checklist 3: What is required in a processing agreement?....................................... 8
Useful hints and questions on data protection ......................................................... 10
Data transfers and Brexit .................................................................................................... 13
Powers of the EDPS under Regulation (EU) 2018/1725
(EU institutions Data Protection Regulation - EUDPR) ............................................ 14
Administrative fines and sanctions under EUDPR .................................................... 16
EUDPR - Infringements ....................................................................................................... 17
 Are you a processor, controller or joint controller?

Flowchart for EUIs. You are involved in a processing operation

with one or more third parties: are you a processor, a
!
controller, or a joint controller?
This w chart is for situations where
the allocation of the processor and
controller roles has not been
established in a legal act.
1

Do you determine certain purposes Yes

and essential means of the processing
operation, based on a speci c legal
competence?

No
2

Do you determine certain purposes

Yes
and essential means of the processing
operation,based on an implicit
competence?

No
3

Do you determine certain purposes Yes

and essential means of the processing You are a controller.
operationin practice?
4

What is the relationship between

No you (A) and the other party (B)?

You are a processor

You jointly You jointly You and B Only you determine

determine the determine some separately the purposes and
purposes and essential means and determine purposes essential means of
essential means for purposes with B, and essential means the processing
the processing while others are for the processing operation.
operation with B. determined operation.
separately.

You are a
You and B are joint You are joint B is controller for
controller, B is your
controllers. controller with B for its own means and
processor.
the jointly purposes, but
A determined parts of processor for yours.
+ the processing
B operation. A

A B A B

Note: The aim of this owchart is to clarify the initial quali cation as controller or processor, rather than setting out what happens
when a processor exceeds its mandate/role by becoming involved in determining essential means of the processing.

3
 Checklist 1:
What are the duties
of the controller?
Processing of personal data needs to adhere to
the following principles:

• the processing operation should be • the personal data should be accurate

lawful, fair and transparent (lawfulness,
fairness, transparency);
• the processing operation should be bound
to specific purposes (purpose limitation);
• the personal data processed should be
adequate, relevant and limited to what is
necessary (data minimisation);
(accuracy);
• the personal data should be kept no longer
than necessary (storage limitation);
• the personal data need to be remain well
secured and confidential (integrity and
confidentiality).

See the EDPS guide Accountability on the ground, part II, pages 11-15 for guiding questions on these data
protection principles.

The controller is responsible for compliance • take adequate security measures in

with these principles and should be able to
demonstrate this compliance (principle of
accountability). To achieve this, controllers in
practice need to, in particular:
• document their processing operations
with records; (Note: the EDPS strongly
recommends keeping these records in a
central, publicly accessible register);
• carry out a data protection impact
assessment (DPIA), prior to operations
which carry a high risk to the rights and
freedoms of data subjects;
• under certain circumstances, consult the
EDPS prior to such high-risk processing
operations;
• when designing processing operations,
keep in mind the principles of privacy by
design and privacy by default;
order to protect personal data;
• in case of a personal data breach,
notify the EDPS as well as, under certain
circumstances, the data subjects involved;
• conclude agreements/contracts with
processors (only those providing
sufficient guarantees);
• conclude agreements with other
controllers in cases of joint controllership;
• transfer personal data within the
European Institution, agency or body
(EUI), to other EUIs, to countries outside of
the EU or international organisations only
when the conditions of the Regulation
(EU) 2018/1725 are complied with;
• cooperate with the EDPS.
See the EDPS Accountability on the ground for
guidance on records, DPIA’s, prior consultation
and more.

Finally, the controller need to provide clear and accessible information to data subjects about the
processing, respect data subject’s rights and ensure their availability in practice.

See the EDPS guidelines on transparency and other rights and obligation.

4
 Know your processing operations
Article 4 of EUDPR lists the data protection principles. Additional Articles in this Regulation
spell them out in more detail:

DP principle Articles Recitals

Fairness Article 4(1), 17 to 25 20, 26, 34, 35, 37-41
Transparency Articles 4(1)(a), 14 to 16, 25 20, 35, 36
Purpose limitation Articles 4(1)(b), 6, 13, 38 25
Data minimisation Articles 4(1)(c), 12, 13, 37, 38 20
Accuracy Articles 4(1)(d), 18 38
Storage limitation Articles 4(1)(e), 13 20, 33
Security Articles 4(1)(f ), 33, 36, 37, 39 53, 54, 58

Create a systematic description of the processing. Start from the information you already
have in your notification or record and add the following points:

• data flow diagram of the process (flowchart): what do we collect from where/whom,
what do we do with it, where do we keep it, to whom do we give it?
• detailed description of the purpose(s) of the processing: explain the process step-
by-step, distinguishing between purposes where necessary;
• description of its interactions with other processes - does this process rely on
personal data being fed in from other systems? Are personal data from this process
re-used in other processes?
• description of the supporting infrastructure: filing systems, ICT etc.

Use existing documentation of the process or its development to generate this

documentation. Re-read this existing documentation through the lens of “how will this
affect the people whose data we process?” and adapt and expand where necessary.

Go through your data flow diagram and for each step, ask yourself how this could affect the
persons concerned against the background of the data protection principles.

The table below maps the targets to some generic processing steps, indicating the most
relevant targets for each. These are the minimum aspects to check.

Lawfulness is to be ensured as the first stage and at each processing step.

5
 Fairness Transparency Purpose Data Storage Security
Limitation minimisation limitation

Collection X X X X X X
Merging datasets X X X X X X
Organisation/structures O O X X X X
Retrieval/consultation/
use X X X O X X
Editing/alteration E X O X O X
Disclosure/Transfer X X X X O X
Restriction R R X X X X
Storage X X X O X X
Erasure/destruction X O X X

See the EDPS Accountability on the ground guidance, part II, pages 7, 9-11 for mapping data
protection principles to generic processing steps.

6
 Checklist 2:
What are the duties
of the processor?
In order to comply with Regulation (EU) 2018/1725 (EUDPR), processors must in particular:

• only process personal data on the documented instructions of the controller, unless
required to do so by EU or Member State law;

• process personal data as governed by a contract or legal act which is binding on

the processor and that sets out the necessary prerequisites for the processing activity;

• NOT further process data for other incompatible purposes;

• assist the controller with the obligation to guarantee the rights of data subjects and
to fulfil the controllers obligations pursuant to Articles 33-41 EUDPR (security and
data breach notification, data protection impact assessment and prior consultation,
confidentiality of electronic communications, information and consultation of EDPS);

• notify any legally binding request for

disclosure of the personal data processed
on behalf of the controller and may only
give access to data with the prior written
authorisation of the controller;

• ONLY outsource/subcontract with the prior

written authorisation of the controller; inform
controller of any changes, giving controller
the opportunity to object; pass on same
contractual obligations to any subcontractors;

• maintain a record of all categories of

processing activities carried out on behalf of
the controller;

• take adequate security measures in order to

protect the personal data;

• without undue delay, inform the controller of a

data breach;

• cooperate, on request, with the EDPS in the

performance of his or her tasks.
7
 Checklist 3:
What is required in a
processing agreement?
Controllers can have another entity process personal data on their behalf. Outsourced
processing thus concerns personal data produced and processed by the contract, not data
of the contractor or its staff.

Processing by a processor requires a contract or other legal act under EU or Member State
law, which is binding on the processor and sets out:

• purpose, duration, nature and scope of processing;

• categories of data and data subjects;

• retention period;

• data location and data access (based on preliminary risk assessment may be limited
or not to EEA);

• recipients of data and data transfers (within the EUI, to other EUIs, to third countries or
international organisations);

• security measures (guaranteeing at minimum the same level of security for the
personal data as the controller);

• prohibition of disclosure of data – reference to the Protocol on Privileges and

Immunities of the EU;

• any additional data protection laws (e.g. ePrivacy Directive, NIS Directive) – if applicable;

• processor may only act upon documented instructions of controller, unless required
to do so by EU or Member State law (instructions also on transfers of personal data
and assistance to controller);

• sub-contracting only with prior written authorisation of controller, information in due

time before any changes;

• confidentiality measures, access only on a need to know basis to authorised persons;

• auditing rights by controller of processors and sub-processors;

8
 • cooperation, on request, with the EDPS in the performance of his or her tasks (including
EDPS’ audit / investigation of processors and sub-processors);

• division of tasks between joint controllers – if applicable – so that processor knows

how to assist which joint controller;

• assistance with data subject rights requests;

• assistance with controller obligations (security and data breach notification, data
protection impact assessment and prior consultation, confidentiality of electronic
communications, information and consultation of EDPS) and record of processing on
behalf of controller;

• assistance with data breaches – set specific deadline;

• choice by controller for processor to return or delete the data at the end of the
processing;

• obligation to inform the controller if its instruction infringes Regulation (EU) 2018/1725
or other EU or Member State data protection provisions;

• ground for termination in case of substantial non-compliance of processor, liability

etc.;

• applicable data protection law;

• other applicable provisions affecting data protection, e.g. choice of applicable law
and jurisdiction (Member State of EUI’s seat), amendments (only bilateral) etc.

The contract or other legal act may be based, in whole or in part, on standard contractual
clauses for processors adopted by the EDPS or the EC.

9
 Useful hints and questions on
data protection
Main lines
• Think about what you need to do to
fulfil your business needs and limit
yourselves to it.
• Define what you do, document it.
• Tell people about it and respect their
rights.
Some useful questions
• What exactly do we want to do and why?
• Why are we allowed to do it?
• What data do we need to do it and for
how long?
• Who needs to have access to the data?
• How do we make sure it is not used
otherwise?
• How do we tell people about it and give
them access to their data?
• How do we document all this?
• Want to know more? Need guidance?
Talk to your Data Protection Officer.
Document every step for accountability
purposes.
10

Why informing people about
data processing?
So that they can:
• ​nderstand which of their data are
u reaches the persons affected?
processed and how;
• verify the quality of their own data;
• ​xercise their other data protection
e • Is the language tailored for the audience
rights (access, rectification, erasure,
restriction of processing, notification
of rectification, erasure, restriction of
processing, data portability, objection,
not to be subject to a decision based
solely on automated processing,
including profiling).
Guiding questions on fairness
• Can people expect this to happen, also
if they do not read the information you
provide them with?
• In case you rely on consent, is it really
free? How do you document that people
gave it? How can they revoke their
consent?
• Could this generate chilling effects?
• Could this lead to discrimination?
• Is it easy for people to exercise their
rights to access, rectification, etc.?
11
Data protection factors when
publishing personal data
• Am I obliged to publish? May I publish?
(Legal basis)
• What can I publish? (Data minimisation)
• How do I tell the individuals concerned?
(Information)
• How do I make sure the data is correct?
(Accuracy)
Guiding questions on
transparency
• How will you tell people about your
processing?
• How do you make sure the information
• Have you provided all the information
necessary and is it easy to understand?
For example, children?
• In the event that you defer providing
information, what is your justification?
Guiding questions on purpose
limitation
• Have you identified all the purposes of
your process?
• Are all purposes compatible with the
initial purpose?
• Is there a risk that the data could be
reused for other purposes (function
creep)?
• How can you ensure that data are only
used for their defined purposes?
• If you want to make available/re-use
data for scientific research, statistical
or historical purposes, what safeguards
do you apply to protect the individuals
concerned?
Guiding questions on data
minimisation
• Are the data of sufficient quality for the
purpose?
• Do the data you collect measure what
you intend to measure?
• Are there data items you could remove
without compromising the purpose of
the process?
• Do you clearly distinguish between
mandatory and optional items in forms?
• In case you want to keep information
for statistical purposes, how do you
manage the risk of re-identification?
Guiding questions on storage
limitation
• Does EU legislation define storage
periods for your process?
• How long do you need to keep which
data? For which purpose(s)?
• Can you distinguish storage periods for
different parts of the data?
• If you cannot delete the data just yet,
can you restrict access to it?
• Will your tools allow automated erasure
at the end of the storage period?
Guiding questions on accuracy
• What could be the consequences for the
persons affected of acting on inaccurate
information in this process?
• How do you ensure that the data you
collect yourself are accurate?
• How do you ensure that data you obtain
from third parties are accurate?
• Do your tools allow updates/correction
of data where necessary?
• Do your tools allow for consistency
checks?
Guiding questions on security
• Do you have a procedure to perform an
identification, analysis and evaluation of
the information security risks possibly
affecting personal data and the IT
systems supporting their processing?
• Do you target the impact on people’s
fundamental rights, freedoms and
interests and not only the risks to the
organisation?
• Do you take into consideration the
nature, scope, context and purposes of
processing when assessing the risks?
• Do you manage your system
vulnerabilities and threats for your data
and systems?
• Do you have any resources or staff
with assigned roles to perform risk
assessments?
12
 Flowchart: data transfers in the context of Brexit
1
First, map your
Have you mapped your data processing activites
transfers to the UK? involving transfers
No to the UK.

Yes
!
2
Note that an Art. 47 EU DPR
For these transfers, have you checked adequacy decision prior to
which of the available data transfers No Brexit is unlikely.
mechanisms best suits your situation?

Some instruments are

Check the Art. exclusively available for
48 EUDPR transfers between public
Yes
safeguards authorities
Adopted by EDPS
and approved by
the EC
A legally binding and
Standard data
Or If enforceable instrument, such as
protection clauses for Binding and
an administrative agreement, a
transfers* enforceable
Adopted by the bilateral or multilateral
EC Only for the
international agreement.
if signatories
Or
Or
Authorised by Ad-hoc data
protection clauses. Administrative, non-binding
EDPS. Only
arrangements, which
if Authorised
Or nonetheless provide for
effective data subject rights. by
Only EDPS
Approved by Binding corporate if
national rules*
supervisory Only
authority, if
following an
Or
EDPB opinion.
Codes of conduct Or
Not feasible prior and certification
to Brexit. mechanisms

Or

If none of the above: Art. 50 EU DPR allows derogations for specific situations, but only for occasional transfers and
only on exhaustive grounds. This article should be relied on restrictively.

3
4 5
Have you implemented the Yes Have you updated the internal Yes Have you updated the data
chosen data transfer
documentation? protection notice?
mechanism?

No No No Yes

Implement the data transfer Update the internal Update the data Your institution is
mechanism documentation protection notice adequately prepared.

* Binding corporate rules and standard contractual clauses (adopted by the EC) under the old Directive 95/46 are still valid, but will
need to be updated over time in line with the GDPR. In any case, before using old EC standard contractual clauses you should make
sure to adapt them to Regulation (EU) 2018/1725 [EUDPR].

13
Powers of the EDPS under Regulation (EU) 2018/1725
(EU institutions Data Protection Regulation - EUDPR)

Article 58 Powers

1. The European Data Protection Supervisor shall have the following investigative
powers:

• to order the controller and the processor to provide any information it requires for
the performance of his or her tasks;

• to carry out investigations in the form of data protection audits;

• ​to notify the controller or the processor of an alleged infringement of this Regulation;

• to obtain, from the controller and the processor, access to all personal data and to
all information necessary for the performance of his or her tasks;

• to obtain access to any premises of the controller and the processor, including to
any data processing equipment and means, in accordance with Union law.

2. The European Data Protection Supervisor shall have the following corrective
powers:

• t​ o issue warnings to a controller or processor that intended processing operations

are likely to infringe provisions of this Regulation;

• to issue reprimands to a controller or a processor where processing operations

have infringed provisions of this Regulation;

• t​ o refer matters to the controller or processor concerned and, if necessary, to the

European Parliament, the Council and the Commission;

• to order the controller or the processor to comply with the data subject’s requests
to exercise his or her rights pursuant to this Regulation;

• to order the controller or processor to bring processing operations into compliance

with the provisions of this Regulation, where appropriate, in a specified manner and
within a specified period;

• to order the controller to communicate a personal data breach to the data subject;

• to impose a temporary or definitive limitation including a ban on processing;

• t​ o order the rectification or erasure of personal data or restriction of processing

pursuant to Articles 18, 19 and 20 and the notification of such actions to recipients
to whom the personal data have been disclosed pursuant to Article 19(2) and Article
21;
14
 • to impose an administrative fine pursuant to Article 66 in the case of non-
compliance by an EUI with one of the measures referred to in points (d) to (h) and (j) of
this paragraph, depending on the circumstances of each individual case;

• t​ o order the suspension of data flows to a recipient in a Member State, a country

outside of the EU or to an international organisation.

3. The European Data Protection Supervisor shall have the following authorisation
and advisory powers:

• to advise data subjects on exercising their rights;

• t​ o advise the controller in accordance with the prior consultation procedure referred
to in Article 40, and in accordance with Article 41(2);

• to issue, on his or her own initiative or on request, opinions to EUIs and to the public
on any issue related to the protection of personal data;

• t​ o adopt standard data protection clauses referred to in Article 29(8) and in point
(c) of Article 48(2);

• to authorise contractual clauses referred to in point (a) of Article 48(3);

• to authorise administrative arrangements referred to in point (b) of Article 48(3);

• to authorise processing operations pursuant to implementing acts adopted under

Article 40(4).

4. The European Data Protection Supervisor shall have the power to refer the matter
to the Court of Justice under the conditions provided for in the Treaties and to
intervene in actions brought before the Court of Justice.

5. The exercise of the powers conferred on the European Data Protection Supervisor
pursuant to this Article shall be subject to appropriate safeguards, including
effective judicial remedies and due process, set out in EU law.

15
Administrative fines and sanctions under EUDPR

16
 EUDPR - Infringements
Category 1 Infringements
maximum fine of 25 000 EUR per infringement and of 250 000
EUR per year
Infringements for which fining is explicitly set out in Art.
66(2) of the EUDPR
Art. 8 - Conditions applicable to a child’s consent in relation to
information society services
Art. 12 - Processing which does not require identification
Art. 27 - Data protection by design and by default
Art. 28 - Joint controllers
Art. 29 - Processor
Art. 30 - Processing under the authority of the controller or
processor
Art. 31 - Records of processing activities
Art. 32 - Cooperation with the European Data Protection
Supervisor
Art. 33 - Security of processing
Art. 34 - Notification of a personal data breach to the European
Data Protection Supervisor
Art. 35 - Communication of a personal data breach to the data
subject
Art. 39 - Data protection impact assessment
Art. 40 - Prior consultation
Art. 43 - Designation of the data protection officer
Art. 44 - Position of the data protection officer
Art. 45 - Tasks of the data protection officer
Infringements for which fining is not explicitly set out in
Art. 66(2) or (3), but could be sanctioned in line with Art.
66(1) as failure to comply with order under Art. 58(2)(e)
of the EUDPR
Rec (49) EUDPR in connection with Art. 42 GDPR -
Certification of EUI
Art. 26 - Responsibility of the controller
Art. 37 - Protection of information transmitted to, stored in, related
to, processed by and collected from users’ terminal equipment
Art. 38 - Directories of users
17
Category 2 Infringements
maximum fine of 50 000 EUR per infringement and of 500 000 EUR per
year
Infringements for which fining is explicitly set out in Art. 66(3) of
the EUDPR
Art. 4 - Principles relating to processing of personal data
Art. 5 - Lawfulness of processing
Art. 7 - Conditions for consent
Art. 10 - Processing of special categories of personal data
Art. 14 - Transparent information, communication and modalities for
the exercise of the rights of the data subject
Art. 15 - Information to be provided where personal data are collected
from the data subject
Art. 16 - Information to be provided where personal data have not been
obtained from the data
subject
Art. 17 - Right of access by the data subject
Art. 18 - Right to rectification
Art. 19 - Right to erasure (‘right to be forgotten’)
Art. 20 - Right to restriction of processing
Art. 21 - Notification obligation regarding rectification or erasure of
personal data or restriction of
processing
Art. 22 - Right to data portability
Art. 23 - Right to object
Art. 24 - Automated individual decision-making, including profiling
Art. 46 - General principle for transfers
Art. 47 - Transfers on the basis of an adequacy decision
Art. 48 - Transfers subject to appropriate safeguards
Art. 49 - Transfers or disclosures not authorised by Union law
Art. 50 - Derogations for specific situations
Infringements for which fining is not explicitly set out in Art.
66(2) or (3), but could be sanctioned in line with Art. 66(1) as
failure to comply with order under Art. 58(2)(e) of the
EUDPR
Art. 6 - Processing for another compatible purpose
Rec (21) in connection with Art. 5 - Transmission of personal data
within the same Union
institution or body and the recipient is not part of the controller, or to
other Union institutions or bodies
Art. 9 - Transmissions of personal data to recipients established in the
EU other than Union institutions and bodies
Art. 11 - Processing of personal data relating to criminal convictions
and offences
Art. 13 - Safeguards relating to processing for archiving purposes in
the public interest, scientific
or historical research purposes or statistical purposes
Art. 25 - Restrictions
Art. 36 - Confidentiality of electronic communications
www.edps.europa.eu
@EU_EDPS
EDPS
European Data Protection Supervisor