The controller is required to have a sufficient legal basis for the processing of personal data. The data subject must grant explicit consent for their personal data to be controlled or processed. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. The processing of data must also meet the legal tests outlined in the GDPR regulation.
Personal data can only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Appropriate security and privacy protections shall be instated to ensure the integrity and confidentiality of personal data. This shall entail data protection by design and by default.
Reasonable measures must be taken to ensure that all personal data are accurate and updated accordingly and that any inaccurate data is erased or rectified in a timely manner.
Personal data shall be stored only for as long as necessary for the processing of the data. Only under certain circumstances shall the personal data be stored for longer periods.
Organizations must demonstrate that they comply with the GDPR and that they have taken appropriate measures to ensure compliance. This principle underlies the importance of keeping detailed logs of all activity related to the processing of personal data.
In the event when a personal data breach has occurred, the controller is required to notify the breach to the supervisory authority no later than 72 hours after becoming aware of the breach. When the breach will likely result in a high risk to the rights and freedoms of a data subject, the controller shall report the breach to the data subject without delay. The Regulation outlines the information to report in addition to the notification of the breach.
Written in conjunction with an EU privacy lawyer, this whitepaper describes the GDPR and its implications for organizations that use the cloud. Read this whitepaper to gain an in-depth perspective on the GDPR and cloud compliance.Learn more