Description of the organisation’s data protection practices
The data controller’s appropriate technical and organisational measures for fulfilling data protection requirements
The organisation has chosen the D-Fence Easy GDPR service for the fulfilment of their data protection requirements.
On this page, you will find information on the certified organisation’s personal data processing practices, their lawfulness, and proof of compliance.
Proof of compliance for data protection practices per requirement
The implementation of the organisation’s data protection is described below divided into sections based on each requirement to make it easier to conduct a preliminary examination.
With the help of the Easy GDPR service, the organisation also follows the practices of data protection (GDPR) by design and by default.
Implemented data protection measures
| Measure | Implementation |
| Mapping processed personal data | The organisation has mapped the types of personal data it processes and divided them into separate filing systems. |
| Description of processing activities | A separate data flow description has been created for each filing system to describe the complete flow of data from when the organisation receives the data to when a specific piece of data will be deleted or justification for the further storing of the data.
The organisation has also drawn up records of their processing activities from the perspectives of both the data controller and the data processor, and these can be viewed in the Easy GDPR service. |
| Risk assessments | Risk assessments have been carried out for each filing system, and balance tests have been implemented when the legal basis for processing is legitimate interest. A Data Protection Impact Assessment (DPIA) has been implemented when the law requires it. |
| Notifying of processing activities | A separate Privacy Policy has been drawn up for each filing system, and the Privacy Policies have been published on the organisation’s website when applicable. |
| Administration and management | The organisation’s data protection measures are reviewed regularly, measures are part of the organisation’s annual plan and they are implemented based on a data protection plan. |
Implementation of data protection measures
| Measure | Implementation |
| Lawfulness | Lawfulness has been assessed and described in the register-specific data flow descriptions defining the legal basis for processing. |
| Fairness | The appropriateness and fairness of processing with regard to the purposes of processing has been assessed in the data flow descriptions. The data flow descriptions also include an assessment that personal data are not processed in an unexpected or unpredictable manner for the data subject. |
| Transparency | This principle in implemented through register-specific Privacy Policies that describe processing activities clearly and understandably and have been made easily accessible through the organisation’s website. |
| Purpose limitation | The purposes for processing personal data have been defined in the data flow description and Privacy Policy of each filing system. |
| Data minimisation | The assessment of processed personal data based on their purposes of processing has been described in the data flow descriptions. Personal data are processed only to the extent and for the period of time that is necessary for the defined purpose of processing. |
| Accuracy of data | The annual implementation plan for data protection includes regular inspections. |
| Storage limitation | The storage times for personal data in each filing system have been assessed in the data flow descriptions and included in Privacy Policies. |
| Confidentiality and security | Protection measures and related risks have been assessed in the data flow descriptions and included in Privacy Policies, and the appropriate processing of personal data is ensured by providing regular training to data processors. |
Organisation as data controller
| Data protection by design and by default | Implementation |
| Appropriate technical and organisational protection measures | Implemented, documented and available through the Easy GDPR service. |
| Implementation of data protection measures | Planned and documented in the different sections of the Easy GDPR service and implemented through personnel training and instructions throughout the organisation. |
| Ensuring efficiency | The implemented protection measures have been assessed to be appropriate and sufficient for the type and extent of data processing, and they have been documented in the Easy GDPR service. |
| Matters to consider | |
| Latest technology | The data controller has taken into account the latest available technology when planning organisational measures, which are described in the Easy GDPR service. |
| Implementation costs and resources | The data controller has allocated sufficient resources for the implementation of the organisation’s data protection measures and, to ensure their implementation, registered for the D-Fence Easy GDPR service. |
| The nature, extent, context and purpose of processing | The organisation has assessed and documented the measures for each thematic section in the Easy GDPR service. |
| Risks related to the rights and freedoms of data subjects | The risks, which vary by likelihood and severity, have been described at a general level in the data flow description of each filing system and in more detail in the Data Protection Impact Assessment to the extent required by law. |
| Time-related matters | |
| Defining methods of processing | The organisation acting as the data controller has assessed the processing activities related to personal data in each filing system and possible risks related to them. |
| Processing personal data | The organisation maintains continuous data protection by design and by default, which has been implemented, documented and is available through the Easy GDPR service. |
| Data protection by default | |
| Processing personal data only to the extent necessary for the purpose of processing | In accordance with the principle of data minimisation, the organisation has defined the data necessary for each purpose of processing and described them in the data flow descriptions. |
| The amount of personal data collected | In accordance with the principle of data minimisation, the organisation has defined the data necessary for each purpose of processing and described them in the data flow descriptions. |
| The extent of processing | The processing of personal data is restricted to only cover such data that are necessary for the purpose of processing, and these have been described in the data flow descriptions. |
| Data storage period | The personal data storage times and the justification for them have been planned and described in the data flow descriptions. |
| Availability of data | The availability of processed data has been planned and described in the data flow descriptions. |
| Transparency | The organisation has informed data subjects of processing activities transparently in their Privacy Policies, which are easily accessible to data subjects on the organisation’s website. |
| Lawfulness | A legal basis for processing has been defined for all processed personal data by data category. Descriptions are included in the data flow descriptions and Privacy Policies. |
| Fairness | The organisation has planned and implemented processing activities in such a way that personal data are not processed in ways that are unjustifiably harmful, discriminatory, unexpected or misleading to the data subject. Data subjects are ensured sufficient right of self-determination, and interaction with the data controller has been ensured through a data protection point of contact. The details of the point of contact are included in the Privacy Policies. |
The rights of the data subject and their implementation
| Requirement | Implementation |
| Right to obtain information on the processing of personal data | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. |
| Right to access personal data | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. |
| Right to rectify personal data | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. |
| Right to the erasure of personal data and to be forgotten | Information on this right has been included in the Privacy Policies. To ensure that the data subject is able to exercise this right, the organisation has included descriptions of systems used for processing the data in each filing system in their data flow descriptions. |
| Right to restrict the processing of personal data | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. |
| Right of portability | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. The data subject can only exercise this right when the basis for processing is consent or agreement. |
| Right to object to the processing of personal data | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. |
| Right not to be subject to a decision based solely on automated processing | Information on this right has been included in the Privacy Policies and a point of contact has been provided for the data subject to exercise their right. |
Management of suppliers acting as data processors
| Measure | Implementation |
| Data Processing Agreement (DPA) | The management of suppliers’ DPAs has been implemented in the “service providers” section of the Easy GDPR service, and the validity of agreements is reviewed regularly. |
| Data controller’s instructions to data processors | The same “service providers” section is also used to manage instructions to data processors. |
| Regular evaluation of suppliers | The evaluation of service providers and suppliers acting as data processors is included in the annual data protection plan. |
General data security measures
| Measure | Implementation |
| Personnel competence | The data security competence of the organisation’s personnel is maintained by providing training, which is one of the measures included in the annual data protection plan. |
| Instructions | The organisation has implemented a data security policy and special instructions for maintaining high competence on cyber matters. |
| Security of systems | All systems are kept up-to-date, and all devices used by office workers have appropriate security software. |
| Data storage policy | Personal data and critical business data are processed with due diligence, and knowledge of this is part of office workers’ competence. |
| Logs | Logs are created when possible in the systems and when required by law. |
Organisation as data processor
| Requirement | Implementation |
| Technical and organisational protection measures
|
Employees taking part in processing activities have been instructed in accordance with instructions provided by the customer. Data protection competence is maintained through regular data protection reviews. |
| Personal data processing activities carried out by the organisation based on legal requirements and related documentation can be reviewed in their entirety in the Easy GDPR service. | |
| The implementation of proof of compliance
|
The organisation has implemented sufficient technical and organisational protection measures and included them as part of the processing activities. Consequently, processing complies with all requirements, and the rights and freedoms of data subjects are protected. |
| Data Processing Agreement (DPA)
|
The organisation has implemented legally required agreements between the data controller and suppliers. |
| Data controller’s instructions to data processors | The organisation processes data solely in accordance with the instructions provided by the data controller. |
| Subcontractors | The data processor has provided transparent information on any suppliers acting as data processors and ensures that said suppliers process personal data with the same due diligence as the organisation does. |
| Data transfer | The organisation does not transfer personal data to third parties without the express permission of the data controller. |
| Access permissions | When processing personal data on behalf of the data controller, the organisation ensures that personal data are only processed by persons who have the right to process them. |
| Information security | The organisation has implemented sufficient data security measures, and the assessment of the sufficiency of these measures is included in the annual data protection plan. |