1 Module 1 - Inventory
As pointed out above this is the first step in GDPR compliance. It will form the basis for your
enterprise’s inventory and for much of the important documentation to be produced under the
GDPR.
It is possible to add a new process, modify, delete, or refresh a process and export an Excel
report for input data.
Personal Data
Personal Data means any information relating to an identified or identifiable natural person
called the data subject. An identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data includes everything associated for example with a name, to an IP address, to a
tax number.
It should be noted that since the GDPR was drafted that this definition also must be read in
conjunction with the Nowak Case (a European Court of Justice decision from December 2017)
which expands the definition effectively to include any information that relates to the data
subject. An example could be an email where every word in the email could as result of this
decision be personal data – if it related to a data subject.
“The use of the expression ‘any information’ in the definition of the concept of ‘personal data’…
reflects the aim of the EU legislature to assign a wide scope to that concept, which is not
restricted to information that is sensitive or private, but potentially encompasses all kinds of
information, not only objective but also subjective, in the form of opinions and assessments,
provided that it ‘relates’ to the data subject”.
These are examples of the most common personal and sensitive data held by enterprises.
Some examples of ‘personal data’
➢ Name, address, email, telephone
➢ Age, gender, marital status
➢ ID or registration number
➢ PPSN or Tax Number
➢ Passport number
➢ Car registration
➢ Photograph
➢ Video / CCTV
➢ Fingerprints, facial recognition
➢ Travel card or ticket
➢ Education and training information
➢ Student numbers
➢ Grades, exam results, certificates,
➢ testimonials, references
➢ Health information, medical reports
➢ Family and lifestyle details
➢ Employment details
➢ Financial details, bank statements,
1
� ➢ card numbers
➢ Online identifiers, IP addresses,
➢ cookie identifiers, RFID tags
Sensitive Data
It Is important to note that what we sometimes regard as sensitive may not be categorised as
sensitive under the GDPR. Much of what people might consider to be sensitive is in fact
personal data, such as personal addresses and financial data (including salaries) data but
should of course be treated with similar care due to the risks of reputational and financial
damage to data subjects who can sue for material and non-material financial damage or
distress.
Article 9 says that the sensitive data involves the processing of categories of personal data
revealing
• racial or ethnic origin,
• political opinions,
• religious or philosophical beliefs,
• or trade union membership,
• and the processing of genetic data,
• biometric data for uniquely identifying a natural person,
• data concerning health
• or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
In addition, location data (Tele2 Sverige) and payment data (PSD2) are generally afforded
protections similar to sensitive data.
Explicit consent of the data subject is required unless the processing falls within one of the
other nine processing exceptions in Article 9(2) or falls under Article 23. Such consent forms
or can constitute depending on the circumstances a form of contract. As such, disclosure of
confidential personal information is considered a breach of contract and therefore contravenes
the duties of confidentiality.
Two of the more important methods of processing sensitive data that should be noted
➢ Employment Law – processing is necessary for the carrying out of the obligations
and exercising rights of the controller or the data subject in the field of employment,
social security or social protection law.
➢ Legal Claims – processing is necessary for the establishment, exercise or defence of
legal claims.
Some points of ambiguity should be noted.
The use of the word reveals shows that not only data which by its nature contains sensitive
information is covered by this provision, but also data from which sensitive information
regarding an individual can be concluded.
Although the GDPR does not define ‘health’, the term should be understood and interpreted
as including preventative medicine, medical diagnosis, DNA sequences, medical research,
provision of care and treatment and the management of healthcare services.
There is also no minimum level for health data and health data may range from information
about a simple cold to information about illnesses or disabilities. This may lead to difficulties
2
�in practice, as the individual's explicit consent is required even for unproblematic processing
of such data.
Also, there is no specific exception covering the insurance sector, where the processing of
health data is a necessary pre-requisite for concluding and performing a health insurance
contract. Some countries may provide a specific provision for such processing such as in the
Irish Data Protection Act, 2018. The GDPR will require explicit consent that is freely given and
meets the requirements of Articles 7-8.
There is no definition of “philosophical beliefs” and for example, a court in the U.K. recognized
belief in climate change as a philosophical belief.
Wizard for Controller/Processors
Below we provide a simple wizard to help you determine which you are in respect of each
activity. The WP 29 group previously gave guidance in Opinion 1/2010 on the concepts of
"controller" and "processor" (WP169) and the following supplements the guidance. See
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
Wizard for Type of Responsible party under the GDPR
Are we a processor or controller for each Customer, Employee, Supplier or other third
party?
Decision Tree do we decide
Purpose and means test in Article 4
You are the Controller if you decide both why and how data processing is done at a data
processing point
How and why data is processed broadly either collected, stored, used, shared, transferred
(either internally, intra company, within the EU, or any International Transfers outside the
EU), and disposed of
If don’t decide both the how and why you are acting under the instructions of the controller
then you are a processor except for 2 instances
The processor infringes the regulation by determining why and how data is processed at
any data point then you are the processor in respect of that data point’s processing (Article
28(10))
Processor should make sure has a binding contract or other legal act with the processor
(Article 28(3)) otherwise, Article 82 says a processer is liable only where it has not complied
with its obligations under the GDPR specifically directed to processors or where it has acted
outside or contrary to lawful instructions of the controller implying the importance of the
contract with the controller.
3
� The Processor is liable for the processing activities of sub-processers engaged for specific
activities carried out on behalf of the controller and the Processors obligations to the
Controller must be laid out in the contract or other legal act. Regardless however the
processor remains fully liable.
A controller can also be a Joint Controller where two or more controllers determine the how
and why of processing and the rights and obligations of each should be set out in a contract.
It should be noted that independent Controllers do not need to have a processing
agreement, and each is liable in respect of any processing carried out. It is important for
group companies to have an Intra Group Transfer Agreement and while there are many
third country transfer mechanisms enterprises should endeavour over time to introduce
binding corporate rules if any members of the group are based outside the EU.
If you have a group structure, consider consulting a lawyer because then you can be sued
in any territory where you have an office and could be regulated by a Supervisory Authority
where your head office is located. The note for 3rd country transfers in Processor and
Controller Reporting will provide a guide on the issues, but the area can be complex.
One final matter you need to consider even if in theory you are a responsible party you may
by regulated by a professional or industry association. It is possible particularly when these
bodies become more familiar with the GDPR and cases come before supervisory authorities
and the courts that these entities may adopt codes of conduct under Article 40 and Article
41 or you can show compliance through a certification mechanism under Article 42 and 43.
It is also possible that a customer may decide what the relationship is in practice and some
processors may find that commercial reasons pressurise them to adopt a role of Data
Controller particularly where your counterparty is situated in a third country outside the EU.
However, ultimately any arrangement will be ultimately decided by a Supervisory Authority
or a Court so it is important to get the designation correct.
Processor (Module 4)
This is defined above but essentially a processor should follow the instructions of a Controller.
The relationship is governed by a processing agreement and where the instruction is not
covered in the processing agreement then you are a Controller in respect of this activity. It is
important that any appendix to such an agreement list individually all the matters you carry out
from the definition of processing below.
Processing
Processing’ means any operation or set of operations which is performed on personal data or
on sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
The term restriction is new and when concluding processing agreements, you should
separately acknowledge each one of these items as processing carried out separately.
Controller (Module 3)
4
�A Controller means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal
data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by Union
or Member State law.
Essentially the Controller decides how and why the personal data is processed.
Legal Justification
This is one of the most important provisions to get right and is likely to be one of the key focus
areas for Supervisory Authorities if you are audited.
There are six legal bases for processing under the GDPR in Article 6.
• Consent - The individual has given consent which is essentially a revocable contract
• Contract with Data subject - Necessary for the performance of a contract with the
individual or to enter into such a contract. Note this does not mention a contract with a
company but the Recitals mention a contract but there is no mention of it been with the
data subject
• Legal Obligation - Necessary for compliance with a legal obligation to which the
controller is subject
• Vital Interests - Necessary to protect a person’s vital interests
• Public Interest - Necessary for performance of a task in the public interest or in exercise
of official authority vested in the controller
• Legitimate Interest Necessary for purposes of legitimate interests of the controller or a
third party, except where overridden by the interests of the individual (see Module 11
for more detail)
It should be noted that the meaning of necessary has been defined in caselaw.
These legal bases are further restricted where the data type is sensitive and then you need to
read Article 6 in conjunction with Article 9. This should also be read in conjunction with Article
28 that sets out the processing rules for processors. Effectively a processor holds data under
a contract with the Controller or a legal obligation. This means that if you are a processor and
say that you are holding it under another legal basis – you are in fact a Controller in respect
of this processing.
Note that public bodies cannot rely on legitimate interest for processing personal data in
respect of their official duties only. There is also no mention of legitimate interest as a legal
basis for processing sensitive data but there are specific provisions for processing of sensitive
data in an employment context or for legal proceedings that would likely fall under the category
legitimate interest if personal data.
It should be noted that the processing must also
(B) Comply with the six Principles (that are part of Privacy by Design)
1) Lawfulness, fairness & transparency
2) Purpose limitation
3) Data minimisation
4) Accuracy
5
�5) Storage limitation
6) Security, integrity & confidentiality
AND Controller must be able to demonstrate compliance with the principles (‘Accountability’)
A Note on Consent – you should not rely on consent if you can rely on another legal basis.
One important point you can rely on legitimate interest for marketing and anyone who is
involved in marketing should note the soft opt in from the ePrivacy Directive (that some
incorrectly think was repealed by the GDPR). A module on consent is coming soon.
For Consent as a lawful basis to be valid
➢ Consent to processing of personal data
➢ must be freely given, specific, informed and unambiguous;
➢ by a statement or a clear affirmative action;
➢ cannot be inferred by silence, pre-ticked boxes or inactivity
➢ can be withdrawn and must be easy to do so
➢ Processing of ‘sensitive data’ requires “explicit consent”
➢ In a written declaration concerning other matters (e.g. a contract), the
➢ request for consent must be clearly distinguishable from other matters.
➢ Records must be kept of how and when consent was given.
➢ ‘Information society services’ offered directly to a child < 16 years, must
➢ get verified consent of parent or guardian.
➢ Member States may provide for a lower age, provided not < 13 years – for
example in Ireland the Data Protection Act, 2018 sets an age of 16 years that will
be reviewed within 3 years of enactment.
Third Party Partners
A category for all others such as where you are a Joint Controller in respect of a process or
where you have perhaps a legal obligation and may hold data on these partners. It may also
be relevant in certain sectors such as where Controllers hold medical records and similar data.
Source of data
It is important to be able to determine the source of data for each process. This is because
one of the key requirements of the GDPR is that you make available Transparency Notices to
data subjects when you are a Controller under Article 13 when you collect data directly from
the data subject and indirectly under Article 14. Therefore, your description should cover
whether the data comes directly or indirectly from a data subject. These notices when they
concern external matters should be communicated to data subjects through inclusion on a
website or through an email message. For internal matters the notices should be made
available on corporate intranets or on a shared drive to which all employees are given access.
At a minimum a Privacy Notice should provide in an easily accessible form, using clear and
plain language the following:
1. Data controller identity and contact details.
2. DPO contact details, where applicable.
3. Purpose of processing.
4. Legal basis for processing.
5. Legitimate interests, where applicable.
6. Recipients or categories of recipients.
7. Data retention period, or criteria used to determine it.
6
� 8. Individual’s rights including access, correction, erasure, restriction, objection, data
portability.
9. Where processing based on consent, right to withdraw it at any time.
10. Right to complain to DPC.
11. Whether data controller uses automated decision-making (including profiling),
information about the logic involved, and the consequences for the individual.
Under Article 14 more detail on the actual personal data held must be given to the
data subject.
Personal Data relating to Criminal Convictions and Offences
Lastly the GDPR has a special category for the processing of personal data relating to criminal
convictions and offences. If you are processing such data you should also consider the
restrictions in Article 23, the need to carry out a DPIA, and the need to appoint a DPO under
Article 37.
Security
Article 32 describes the technical and organisational controls that need to be complied with.
These can be divided into mainly your Information Security and Physical security controls that
should be documented as part of your GDPR compliance so in the event of an incident that
you can prove you followed best practice to reduce the risk of fines and reputational risk.
Physical controls will describe your controls over physical access to the data such as use of
swipe cards to access floors, clean desk policies, and guidance on guests accessing the
building.
Logical Controls should describe the controls you have over accessing IT resources. The
GDPR requires that you maintain the Confidentiality, Integrity, and Availability of resources.
This implies that the typical sorry you cannot access our systems excuse because its down
now becomes classified as a data breach because of the definition of personal data.
This should be supplemented with administrative controls such as least privilege rights as only
allowing personnel involved on processing the relevant personal data to have access rights.
It also includes the policies and procedures necessary to maintain security and adequate staff
training in IT security best practice.
Joint Controller
A Joint Controller occurs where two or more controllers jointly determine the purposes and
means of processing. An agreement should exist between joint Controllers setting out the
rights and obligations of each.
