EU General Data Protection Regulation (GDPR)

Rights of data subjects

Requirements:

• Data subjects’ rights of access
• Right to withdraw consent *
• Right to rectification *
• Right to data portability *
• Right to object to processing of personal data *
• Right not to be subject to an automated decisionmaking process (including profiling) *
• Right to erasure *
• Right to restriction of processing *

Our services:

• Clarifying and implementing the rights of data subjects (e.g. access rights and right to erasure of data)
• Implementing effective processes to ensure that the mandate is adequately scaled; its scope must be defined clearly and precisely
• Analysing data sources and their use: view or taxonomy of databases, business and IT perspective (system-specific view of personal data)
• Clarifying and designing the approach for handling unstructured data, e.g. data from free-format text fields, PDFs and other documents that are difficult to identify and access

Data transfers

Requirements:

• Transfer within a group of undertakings
• Transfer to other undertakings (third parties)
• Transfer in connection with court proceedings and investigations

Our services:

• Ascertaining what personal data are to be transferred to third parties or processing parties within your own undertaking
• Assessing inventory-related measures to ascertain what data attributes are to be transferred to third parties in connection with change the bank (CTB) and run the bank (RTB) activities
• Legal advice on defining or redefining contractual agreements between the parties involved in developing a framework for data transfer within the group
• Checking existing contracts with third parties and identifying personal data transferred to third parties, including specifying the purpose of the processing and transfer
• Legal advice to companies evaluating their repapering, or defining or redefining contractual agreements between the parties involved
• Drawing up documents and guidelines for intragroup and international agreements on data transfer

Governance, guidelines and control frameworks

Requirements:

• Data protection impact assessment *
• Record of processing activities *
• Lead supervisory authority *
• Data protection officer *
• Technical and organisational measures geared to personal data security

Our services:

• Defining the requisite measures in connections with governance, guidelines and control frameworks
• Drawing up documents and guidelines on
  • internal data protection and governance architectures
  • data protection within the undertaking, for example on the use of emails and the internet at the workplace, and the storage and archiving of data
  • data protection measures for websites and e-commerce
  • declarations of consent to data processing
  • data processing agreements, particularly in connection with outsourced projects
  • joint controller agreements, particularly in connection with shared platforms and cloud-based solutions (e.g. cloud computing, Internet of Things)

Personal data breaches

Requirements:

• Notification to supervisory authorities *
• Notification to data subjects *

Our services:

• Sorting out existing personal data breaches and security frameworks
• Advising the legal and IT teams on implementing a triage and notification process for personal data breaches
• Drawing up an overview of existing security structures and making sure appropriate technical and organisational measures are in place to encrypt data in the event of unauthorised access
• Advice on designing and implementing notification requirements for personal data breaches or losses (e.g. notification of GDPR breaches) to the supervisory authorities and/or data subjects