Checklist for Data Controller

1. Code of conduct applicable on the controller, its employees and processors for the purpose
of specifying:

a. the legitimate interests pursued by controllers in specific contexts requiring

collection; Agreements/Guidelines for Data collection to be executed and shared with
Data Subjects and Data processors.

b. fair and transparent processing of data collected;

Manner of Data storage and monitoring w.r.t. accuracy from time to time.

c. the collection of personal data;

Kinds of Data being collected

d. the pseudonymization of personal data;

e. the information provided to the public and to data subjects;
f. the exercise of the rights of data subjects;
g. the information provided to, and the protection of, children, and the manner in
which the consent of the holders of parental responsibility over children is to be
obtained;
h. to maintain record of personal data breaches and the communication of such
personal data breaches to data subjects;
i. the transfer of personal data to third countries or international organizations; a
controller or processor may transfer personal data to a third country or an
international organization only if the controller or processor has provided
appropriate safeguards, and on condition that enforceable data subject rights
and effective legal remedies for data subjects are available
j. out-of-court proceedings and other dispute resolution procedures for resolving
disputes between controllers and data subjects with regard to processing,
without prejudice to the rights of data subjects.
2. Provisions to be implemented into administrative arrangements between public
authorities or bodies to enforce effective data subject rights.
S.No. Item Description

1. Conduct Information Audit Organizations that have at least 250

employees or conduct higher-risk data
processing are required to keep an up-
to-date and detailed list of processing
activities and be prepared to show that
list to regulators upon request. The best
way to demonstrate GDPR compliance
is using a data protection impact
assessment.

Organizations with fewer than 250

employees should also conduct an
assessment because it will make
complying with the GDPR's other
requirements easier.

Enlist: the purposes of the processing,

what kind of data you process, who has
access to it in your organization, any
third parties (and where they are
located) that have access, what you're
doing to protect the data (e.g.
encryption), and when you plan to
erase it (if possible).

2. The legal justification for data Processing of data is illegal under the
collection GDPR unless you can justify it according
to one of six conditions listed in Article
6*.

- choose a lawful basis for collecting

and/or processing personal data,
and document your rationale.
- Note that if you choose "consent"
as your lawful basis, there are
additional obligations, including
giving data subjects the ongoing
opportunity to revoke consent. If

3. Clear information about
collection and privacy policy
4. Encryption, pseudonymize, Guidelines for data collection –
anonymize personal data
"legitimate interests" is your lawful
basis, you must be able to
demonstrate you have conducted a
privacy impact assessment.
data - Why data is collected?
- How the data is processed, who has
access to it, and how you're
keeping it safe. This information
should be included in the privacy &
security policy and provided to
data subjects at the time you
collect their data.
Principles of data protection by design
and by default including implementing
"appropriate technical and
organizational measures" to protect
data.
In other words, data protection is
something you now have to consider
whenever you do anything with other
people's personal data.
You also need to make sure any
processing of personal data adheres to
the data protection principles outlined
in Article 5*.
Technical measures include encryption,
and organizational measures are things
like limiting the amount of personal
data you collect or deleting data you no
longer need. The point is that it needs
to be something you and your
employees are always aware of.
 The GDPR requires organizations to  -
Encryption or pseudonymization,
whichever is feasible.

5. Create Internal Security Policy - Technical security

- Operational security
- team members are knowledgeable
about data security. Eg. guidance
about email security, passwords,
two-factor authentication, device
encryption, and VPNs. Identified
Employees who have access to
personal data and non-technical
employees should receive extra
training in the requirements of the
GDPR.

6. Sign Agreements for third parties - Third-party services that handle the
which process personal data personal data of your data subjects,
including analytics software, email
services, cloud servers, etc.

7. Privacy Rights of data owners/data 1) People have an enforceable

subjects right to see what personal data you
have about them and how you are
using it.
2) They also have a right to know
how long you plan to store their
information and the reason for
keeping it that length of time.
3) Data owner requesting its data
visibility should be verified prior to
sharing. You should be able to comply
with such requests within a month.
4) Do your best to keep data up to
date and give rights to data subjects
to update their personal information
for accuracy and completeness.
5) People generally have
the enforceable right to ask to
delete all the personal data you have
about them, and you have to honor
 their request within about a month.
There are a five grounds on which you
can deny the request, such as the
exercise of freedom of speech or
compliance with a legal obligation.
You must also try to verify the identity
of the person making the request.
6) Your data subjects can request
to restrict or stop processing of their
data if certain grounds apply, mainly if
there's some dispute about the
lawfulness of the processing or the
accuracy of the data. You are required
to honor their request within about a
month. While processing is restricted,
you're still allowed to keep storing
their data. You must notify the data
subject before you begin processing
their data again and that you continue
to store the same (data purging).
7) Data subjects should be able to
send their personal data in a
commonly readable format (e.g. a
spreadsheet) either to them or to a
third party they designate. If you're
processing their data for the purposes
of direct marketing, you have to
discontinue unless express specific
written consent is taken and retained
for that purpose.

- Using automated assurances to

data subjects is useful.

*Article 6:
Processing shall be lawful only if and to the extent that at least one of the following applies:

1. the data subject has given consent to the processing of his or her personal data
for one or more specific purposes;

2. processing is necessary for the performance of a contract to which the data

subject is party or in order to take steps at the request of the data subject prior to
entering into a contract;
 3. processing is necessary for compliance with a legal obligation to which the
controller is subject;

4. processing is necessary in order to protect the vital interests of the data subject
or of another natural person;

5. processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller;

6. processing is necessary for the purposes of the legitimate interests pursued by

the controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.

*Article 5

1. Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the

data subject (‘lawfulness, fairness and transparency’);

2. collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall, in accordance
with Article 89 (1), not be considered to be incompatible with the initial
purposes (‘purpose limitation’);

3. adequate, relevant and limited to what is necessary in relation to the

purposes for which they are processed (‘data minimization’);

4. accurate and, where necessary, kept up to date; every reasonable step

must be taken to ensure that personal data that are inaccurate, having
regard to the purposes for which they are processed, are erased or
rectified without delay (‘accuracy’);

5. kept in a form which permits identification of data subjects for no longer

than is necessary for the purposes for which the personal data are
processed; personal data may be stored for longer periods insofar as the
personal data will be processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes
in accordance with article 89(1) subject to implementation of the
appropriate technical and organizational measures required by this
Regulation in order to safeguard the rights and freedoms of the data
subject (‘storage limitation’);
 6. processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorized or unlawful processing
and against accidental loss, destruction or damage, using appropriate
technical or organizational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance

with, paragraph 1 (‘accountability’).