In order to be able to lawfully process personal data, the controller or processor, have to do the following:
- Keep a record of processing activities, which should include:
- The name and contact details;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data,
- The categories of recipients to whom the personal data have been or will be disclosed;
- Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data; and
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR
- Comply with the requirements of the Regulation, and have written proof thereof, including but not limited to the obligations to:
- Process personal data lawfully, fairly and in a transparent manner (Article 1 (a) GDPR);
- Collect personal data for specified, explicit and legitimate purposes and do not further process it in a manner that is incompatible with those purposes (Article 1 (b) GDPR);
- Process personal data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Article 1 (c) GDPR);
- Keep accurate and, where necessary, update the personal data processed (Article 1 (d) GDPR);
- Keep the personal data in a form which permits identification of data subjects for no longer than is necessary (Article 1 (e) GDPR); and
- Process personal data in a manner that ensures appropriate security (Article 1 (f) GDPR).
- Process personal data only under one of the lawful bases under Article 6 of the GDPR.
- Comply with the requirements related to: the information to be provided where personal data have or have not been collected from the data subject (Articles 13 and 14 GDPR); the right of access of the data subject (Article 15 GDPR); the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), portability (Article 20 GDPR), object (Article 21 GDPR).
- Appoint a European Representative if it does not have presence in the EU, but offers goods or services to, or monitors the behavior of data subjects located in the Union. Make sure to appoint a Representative, located in one of the Member States where the data subjects are.