The controller must adopt an appropriate methodology for the implementation of the PVZLP.
The controller can choose different methodologies for implementing the PVZLP. The following are the criteria that the controller can use to assess whether the GDPR or the methodology for implementing the GDPR is comprehensive enough to comply with the personal data protection regulations:
- the assessment contains a systematic description of the processing :
- the nature, scope, context and purposes of the processing are taken into account;
- personal data, recipients and the period of storage of personal data are recorded;
- a functional description of the processing operation is given;
- assets on which personal data depend are identified (equipment, software programs, networks, persons, documents in paper form or channels for sending documents in paper form);
- compliance with approved codes of conduct is also taken into account;
- the need and proportionality have been assessed :
- the measures provided for compliance with the regulations for the protection of personal data have been determined, taking into account:
- measures contributing to the proportionality and necessity of processing based on:
- specific, clear and legitimate goals;
- lawfulness of processing;
- adequate and relevant personal data and limited to what is necessary;
- limited storage period;
- measures that contribute to the rights of the subjects of personal data:
- information provided to the subject of personal data;
- right of access and portability of data;
- right to rectification and erasure;
- right to object and restriction of processing;
- relations with processors;
- safeguards relating to transmission;
- prior consultation.
- measures contributing to the proportionality and necessity of processing based on:
- the measures provided for compliance with the regulations for the protection of personal data have been determined, taking into account:
- the risks for the rights and freedoms of the respondents are controlled:
- the source, nature, particularity and severity of the risk are assessed, in more detail for each risk (unauthorized access, unwanted changes and missing data) from the point of view of the subjects of the personal data:
- the sources of risk are taken into account;
- the possible effects on the rights and freedoms of the subjects of personal data have been determined, among other things, in case of unauthorized access, unwanted changes and missing data;
- threats that could lead to unauthorized access, unwanted change and missing data are identified;
- probability and severity are assessed;
- certain measures are foreseen to eliminate these risks;
- the source, nature, particularity and severity of the risk are assessed, in more detail for each risk (unauthorized access, unwanted changes and missing data) from the point of view of the subjects of the personal data:
- stakeholders are included :
- the officer’s advice was sought;
- where appropriate, the opinions of the subjects of the personal data or their representatives have been requested.
The following are examples of methodological approaches for the implementation of PVZLP.
Examples of general frameworks of PVZLP in the EU:
- Germany: Standard Data Protection Model, V.1.0 – Trial version, 2016 (Standard Data Protection Model, V.1.0 – Trial version, 2016).
https://www.datenschutzzentrum.de/uploads/SDM – Methodology_V1_EN1.pdf
- Spain: Guía para una Evaluación de Impacto en la Protección de Datos Personales (EIPD), Agencia española de protección de datos (AGPD), 2014.
https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/Gui a_EIPD.pdf
- France: Privacy Impact Assessment (PIA), Commission nationale de l’informatique et des libertés (CNIL), 2015. https://www.cnil.fr/fr/node/15798
- United Kingdom: Implementing a Privacy Impact Assessment Code of Practice, Information Commissioner’s Office (ICO), 2014. (Conducting privacy impact assessments code of practice, Information Commissioner’s Office (ICO), 2014). https://ico.org.uk/media/for – organizations/documents/1595/pia – code – of – practice.pdf
- Czech Republic: Metodika obecneho beszkom vlivu na ochranu osnych odstavnia, 23.10.2019, Úřad pro ochranu osnych osnych dąiago (UOOU) https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=38693 .
Examples of the sectoral framework of the PVZLP in the EU:
- Privacy Impact Assessment Framework and Personal Data Protection for RFID Applications
http://ec.europa.eu/justice/data – protection/article – 29/documentation/opinion recommendation/files/2011/wp180_annex_en.pdf
- Personal Data Protection Impact Assessment Form for Smart Grid and Smart Metering Systems http://ec.europa.eu/energy/sites/ener/files/documents/2014_dpia_smart_grids_forces.pdf
International standard
- ISO/IEC 291343: https://www.iso.org/obp/ui/#iso:std:iso-iec:29134:ed-1:v1:en
Compliance with the code of conduct should also be taken into account when implementing the Personal Data Protection Act ( Article 44 of the Law on Personal Data Protection ). In this way, the controller can demonstrate that he has applied appropriate measures, provided that the code of conduct corresponds to the processing process ( Article 46 of the Law on Personal Data Protection ).
Also, during the implementation of PVZLP, certificates, as well as seals and marks for the protection of personal data (privacy seals) should be taken into account in order to demonstrate compliance with the regulations for the protection of personal data by the controller.
