Data Protection Impact Assessment (based on NOREA PIA que

This template is designed to simplify the processing of the Data Protection Impact Assessment (DPIA) questionnaire

Instructions

1. Enter the answers to the questions in the red box in the "DPIA questionnaire" tab (the three columns "Yes", "No" and "C
2. Go to the tab "Results and risks" and set the filter in cell C13 to "everything except the (Empty cells)"
3. Copy the cells on the DPIA tab indicating a risk and paste it into the MS Word DPIA report template in chapter 3 (Identifi
4. In the results tab you can read about which privacy principles the project is currently most at risk
5. Complete the MS Word template. You can insert the spreadsheet in Chapter 5 as a attachment.

Note 1: The controller must also seek advice from the data protection officer (Article 35 (2)) and that advice should
be included,together with the decisions of the controller, in the data protection impact assessment report.
Note 2: Data protection officer should also monitor the implementation of the risk mitigating measures that arise from the

Documentation and source of references: the Norea guide PIA v1.2 (https://www.norea.nl/download/?id=522)
 Total risks:
OECD Principles
1. Limiting the collection of data
2. Data quality
3. Purpose limitation
4. Limiting the use of data
5. Security
6. Transparency
7. Rights of data subjects
8. Responsibility and Accountability

ID Risks
 0
# Risks Risk %
0 0.0%
0 0.0%
0 0.0%
0 0.0%
0 0.0%
0 0.0%
0 0.0%
0 0.0%
Mitigating measures
 DATA PROTECTION IMPACT ASSESSMENT
This is a English work version, based on NOREA PIA, version 1.2
Offered to you by RDM Support Utrecht University (www.uu.nl/rdm)

# Question

1 Project type

1.1 Is there processing of personal data?

1.2 Is it clear who is responsible for processing the data?

Does your organization process personal data on behalf of and

1.3 under the responsibility of another organization? Or: Does your
organization act as a processor?

Is it clear who after the project is finished is responsible for

1.4 maintaining and evaluating the measures taken?

1.5 Has the purpose of processing personal data within the project been
sufficiently SMART defined?

1.6 Is there ..

a Use of new technology?

Use of technology that can rase questions or resistance from the

b public?

c The introduction of existing technology in a new context?

(Other) major shifts in the way the organization works, the way in
d which personal data is processed and / or the technology that is
used in that process?
 e A new processing of personal data?

f Collecting more or other personal data than before or a new way of

collecting?

Use of already collected data for a new purpose or a new way of

g using.

1.7 Have you answered No to all of the above (a to g)?

Is there (in addition to the GDPR) many laws and regulations

1.8 regarding personal data that the project has to deal with?

1.9 Are there many social stakeholders?

Are there many parties involved in the implementation of the

1.10 project?

Is there a dispute settlementor a party where the person concerned

1.11 can turn to questions or complaints?

2 The personal data

Is all data necessary to achieve the goal (are there as few data as
2.1 possible collected)?

Can the goal be achieved with anonymized or pseudonymised data

2.2 (while not being used at the moment)?
 Can the data be used to map and / or assess the behavior, presence
2.3 or performance of people (even if this is not the goal)?

2.4 Is there processing of ..

a Special personal data?

b Unique identifying data?

c Legally prescribed personal numbers?

Other data than described above for which there is an (perceived)

d increased sensitivity?

With one of the above Yes: Can the goal be achieved with other
2.4.1 data that entail a reduced risk of abuse?

2.5 Do you process data about vulnerable groups or people?

2.6 Do the data relate to the whole or large parts of the population?

3 Involved parties

3.1 Are there (after completion of the project) multiple internal parties
involved in the collection and further processing of the data?
 Are there (after completion of the project) multiple external parties
3.2 involved in the collection and further processing of the data?

Are parties involved (in the project or during processing) that do not
3.3 have to comply with privacy legislation that is comparable to the
Netherlands?

Is the provision of the data to third parties in line with the purpose
3.4 for which the data were originally collected?

3.5 Are the data sold to the third parties?

4 Verzamelen van gegevens

4.1 Can the way the data is collected be interpreted as privacy

sensitive?

4.2 Is the purpose of collecting the data publicly known or can it be

publicly announced?
4.3 Do you collect the data on the basis of one of the legal bases?

Is it clear whether you collect the data on the basis of opt-in

(collection only if the data subject has given permission for this) or
4.4 on the basis of opt-out (collection unless the data subject has
objected)?

4.4.1 If you request permission (opt-in) from the data subject: can the
data subjects withdraw the consent at a later date (opt-out)?

Is the impact of withdrawing the consent large for the person

4.4.2 concerned?

4.5 Are you informing the data subject that the data is being collected?

4.5.1 Under No: Can the data subjects be aware of the data collection?

For Yes (on question 4.5): Do you inform the data subject why the
4.5.2 data is being collected (what will you do with it)?

For Yes: (on question 4.5): Do you tell the data subject to whom the
4.5.3 information is provided (where this is not a legal obligation)?
 Could the person concerned be surprised by the processing (at the
4.6 time that he is informed about this)?

5 Use of personal data

Is the use of the data compatible (in line) with the purpose of
5.1 collecting?

5.2 Is data used for other business processes or goals than they were
originally collected for?

Does the purpose of this business process match the original

5.2.1 purpose of collecting?

Is the quality of the data guaranteed, ie is the data up-to-date,

5.3 correct and complete?

5.4 Are decisions made on the data subjects based on the data?
 Yes: do the data provide a complete and up-to-date picture of the
5.4.1 data subjects?

Is there a link, enrichment or comparison of data from different

5.5 sources?

5.6 is data widely distributed within the organization?

5.7 Is data widely distributed outside the organization?

 Is the passing on of data to parties outside the organization in line
5.7.1 with the expectations of the individual?

5.8 Does your organization draw up profiles of the people involved,

whether or not they are anonymous?

If profiles are drawn up, can the profile lead to exclusion or

5.8.1 stigmatization?

5.9 Can the data subjects view or request their data?

5.10 Can the data subjects correct their data or ask (improve,
supplement)?

5.11 Can the data subjects delete their data or request it?

6 Retention and destruction

6.1 Has a retention period been set for the data?

6.2 Can the data be removed physically (from a file) or destroyed
(paper) after the retention period has expired?

If so, will the data be destroyed or removed after expiry of the

6.2.1 retention period in such a way that it can no longer be accessed and
used?

7 Security

7.1 Is there an internally formulated policy about securing information?

7.2 If so, is it clear what measures are being taken to ensure that the
requirements set in the security policy are met?

If so, have the guidelines on the protection of personal data,

7.3 published by the Data Protection Authority been taken into account
when determining the measures?

8 Reporting duty data breach

Have measures been taken to report data leaks to the Supervisory

8.1 Authority and to the affected persons whose data were leaked if
necessary?

If so, are the Guidelines on the duty to report data breaches which
8.2 the Supervisory Authority has published adequately taken into
account when adopting the measures?
 version 1.2
(www.uu.nl/rdm)

Extra information

Keep in mind when answering:

1. For and by whom the project is executed.
2. Whether someone is formally responsible for the processing of
the data.
3. Whether there is an internal contact person.

This questionnaire is intended for organizations that process

personal data in the role of controller. This questionnaire is not
intended for organizations that process personal data in the role of
processor.
Naturally, the measures taken must also be maintained in the future
and care must be taken to ensure that the risks are controlled (for
example by periodically carrying out this PIA).

SMART stands for:

Specific; the objective must be unambiguous
Measurable; under which (measurable / observable) conditions or
form the goal has been reached.
Acceptable; whether it is acceptable enough for the target group
and / or management; Is someone responsible for realizing the
goal?
Realistic; whether the objective is feasible.
Time-bound; when (in time) the goal must be reached.

For example intelligent transport systems, location or tracking

systems based on GPS, mobile technology, face recognition in
conjunction with camera surveillance.

For example, biometrics, RFID, behavioral targeting (profiling).

Such as camera surveillance or drug control in the workplace.

For example, merging or linking various government registrations,

introducing new forms of identification or replacement of a system
in which personal data is stored.
The use of data for business processes other than those for which
they have been collected, or wider dissemination of data within or
outside the organization.
For example, data enrichment through surveys and customer
surveys or approach of customers or citizens based on available
data for new products or services.

For example, merging internal databases to create customer

profiles.

The questionar until this point can be conssiderd a DPIA Quickscan

Keep in mind when answering:

1. Sectoral legislation.
2. Code of conduct.
3. General administrative measures.
4. Jurisprudence.
5. International aspects.

Keep in mind when answering:

1. Employees, customers, suppliers, interest groups, citizens, clients
and regulators.
2. Which professional groups are involved in the processing.

Keep in mind when answering:

1. Contractors and service providers.
2. Hardware and software suppliers.
3. IT Service providers.

Keep in mind when answering:

1. Has the value added been determined per data element and why
this is necessary?
2. Is it sufficient to use only a yes / no instead of the complete data?
3. Can the difference between 2 values instead of both values be
sufficient?
4. Can other mathematic methods be used (for example for
determining deviations)?

By pseudonymisation, the directly identifying data of the data

subject are replaced in an unambiguous way, so that in the future
certain parties can still add data, but the unique identifying data can
not be retrieved.
By anonymization, all directly and uniquely identifying data is
removed.
Think, for example, of geolocation, personnel tracking systems,
decision support when not offering products or services.

The GDPR (consideration 41) refers to so-called sensitive personal

data: personal data concerning a person's religion or belief, race,
political opinion, health, sexual life, personal data concerning the
membership of a trade union, criminal-law personal data and
personal data about unlawful or annoying behavior in connection
with an imposed prohibition based on that behavior.

For example, biometric data, fingerprints, DNA profiles.

For example the social security number (Burger Sercvice Nummer:

BSN).

For example, credit card information, financial information,

inheritance aspects, work performance or data subject to a duty of
confidentiality?

For example, minor persons, mentally handicapped, prisoners,

supervised persons, people whose physical safety is at risk.

Keep in mind when answering:

1. Departments that use the data.
2. Departments that collect the data.
3. The persons who have access to the data.
Keep in mind when answering:
1. For and by whom the project is executed.
2. Which parties use the data.
3. Whether other parties are called in to achieve the goal (the
processing of data is outsourced).
4. Whether the data is sold.
5. Which people outside the organization have access to the data.

For data processed outside the European Economic Area (EEA), an

adequate level of protection must be provided. All countries within
the EEA must comply with the European data protection directive.
The European Commission takes a decision on the adequacy of the
level of protection afforded to countries outside the EEA. A list of
these countries can be found on the internet:
https://cbpweb.nl/nl/onderwerpen/internationaal-
gegevensverkeer/doorgifte- naar-derde-landen
When answering this question, please take into account:
1. Whether the data comes from the territory where it is stored.
2. Whether the data is provided to parties that are not located in
the territory where the data is collected.

Keep in mind when answering:

1. What the purpose (s) is / are for the use of the data.
2. Which information is provided to which parties for what purpose.
3. Whether the provision is a legal obligation to the other parties.
4. Whether the data is sold to other parties.
5. Or other parties are called in to achieve the goal (outsourcing).
6. How often (frequency) are the data provided to other parties
(one-off, periodic update, continuous).
7. How information is provided to other parties.
8. Or it is specified to which parties data is provided.
9. Whether the other party receives similar data on the basis of
which it can be traced back to whom the data relate (if they are
anonymised or pseudonymised).

The GDPR stipulates conditions for the use of data for commercial
or charitable purposes, such as the right of objection.

For example, because intimate or sensitive information is requested

in a public area where others can hear it, or because use is made of
(camera) observation or tracking by cookies or GPS?

In the answering, please take into account whether the data subject
can reasonably be aware of the processing of the data.
The GDPR has a limited number of bases on which data may be
processed:
1. You request permission.
2. The data is necessary for the execution of an agreement where
the person concerned is a party.
3. The data is required for compliance with a legal obligation.
4. The data subject has a vital interest in collecting the data.
5. The data is necessary for the proper performance of a public-law
task.
6. You have a legitimate interest in processing.

When processing the data, it must be clear whether the data subject
must give consent (opt-in) or not, but may object later (opt-out)

This consent must be a free, specific and information-based

expression of will.

For example, because the service to the person concerned is

stopped while it depends on it.

Keep in mind when answering:

1. Where the data come from (from the person concerned, an
internal department, another party, from own observation, et
cetera).
2. How the data is collected.
3. The possibility that the data subject may reasonably be aware of
the processing of the data.
4. The extent to which the person concerned is informed.
5. The technology used.
6. What the goal is / goals for the use.
7. Whether the data or outcomes of data processing are distributed
internally within the company.
8. The manner in which (oral, written, automatic, electronic,
observation, paper) the information is provided to other parties.
9. How long the data will be retained.
Keep in mind when answering:
1. The extent to which the person concerned is informed.
2. How the data is collected (by which route).
3. The technology used.
4. The possibility that the data subject may reasonably be aware of
the processing of the data.
5. Where the data comes from, from the person concerned, an
internal department, another party, from own observation, et
cetera.
6. What the goal is / the goals for the use.
7. Whether the data or outcomes of data processing are distributed
internally within the company.
8. The manner in which (oral, written, automatic, electronic,
observation, paper) the information is provided to other parties.
9. How long the data will be retained.

Keep in mind when answering:

1. What the collection goal is.
2. What the data is used for.
3. What data is collected.
4. Whether this data relates to special data.
5. Where the data comes from, from the person concerned, an
internal department, another party, from own observation, et
cetera.
6. How often (frequency) the data is collected (once, regularly or
continuously).
7. In what way (oral, written, automatic, electronic, observation,
paper) the data is collected and distributed.
8. Which departments / persons and other parties have access to
the data.

Keep in mind when answering:

1. Whether the data is checked, how and on what aspects the
inspection takes place.
2. Whether the data can be corrected.
3. Which persons have access to the data for correction, delete etc.
of the data.
4. Which departments have access to the data.
5. How often the data is updated.
6. What are the consequences of using incorrect data.
7. Whether measures are taken to prevent use other than intended.
8. Whether quality guarantees are provided when the data is
provided.
9. What happens if (parts of) the data is not provided to the other
parties.
Keep in mind when answering:
1. What the purpose is of collecting the data.
2. Which data (data elements) are collected.
3. Whether the data is checked (frequency and aspects).
4. Whether the data can be corrected.
5. How often the data is updated.
6. The way in which the data is checked for reliability (topicality,
completeness, accuracy) and relevance (for the purpose).
7. What are the consequences of using incorrect data.
8. Whether the data is used to create profiles.
9. Whether the profiles are stored on an individual level.
10. Which profiles are used.

Keep in mind when answering:

1. Which departments have access to the data.
2. Which people have access to the data.
3. The goals and the use of the data.

Keep in mind when answering:

1. Which organizations and individuals have access to the data.
2. How often (frequency) the data is provided.
3. The medium used for distribution (eg paper,memory stick, email,
internet).
4. The measures to prevent other use.
Keep in mind when answering:
1. For and by whom the project is executed.
2. What technology is used for.
3. Whether the person concerned can reasonably be aware of the
processing of the data.
4. Whether the data subjects give permission to collect the data.
5. What the goal is / the goals for the use.
6. Whether all data is necessary for the purpose.
7. Which people have access to the data.
8. Other parties that also use the data.
9. What data (data elements) are provided to other parties.
10. How long the data will be saved after being used for the
(primary) purpose.

Think of profiles based on the use of services, the purchase of

products or certain combinations of properties.

Keep in mind when answering:

1. Whether the profiles are stored on an individual level.
2. On the basis of which data the profiles are drawn up.
3. Which profiles are used.
4. Whether an automatic decision is based on the data.
5. What is the logic behind this decision.
6. Parties to whom the data is provided.

This could include responding to requests or giving access to their

own data by means of an information system (whereby it must be
established that data can only be deleted by persons who are
allowed to do so).

This may include requesting a response to sent overviews or giving

(personal) correction possibilities in the own data by means of an
information system (whereby the data subject must be identified in
an adequate manner).

This could be a reaction to requests or giving removal possibilities in

the own data by means of an information system (whereby it must
be certain that data can only be deleted by persons who are allowed
to do so).

In doing so, take into account the purpose for which the data was
collected and subsequently processed and company guidelines and
legally stipulated retention periods, such as in the Archives Act and
tax legislation.
It is not enough to label data as 'expired'; after the expiry of the
retention period, these must actually be removed.
When answering the question, take into account:
1. Whether it is possible to destroy or delete (parts of) the data.
2. If the data is destroyed or deleted, or this can be undone.
3. Whether the data can be made anonymous to save them.

Keep in mind when answering:

1. Whether regulations or policies exist for the destruction of data
(for example the Archives Act).
2. Where (which location) the data is stored.
3. On which medium (paper, hard disk, tape) the data is stored.
4. Whether this location / this medium is shielded for use (for
example the archive).
5. What other reasons exist for retaining the data, such as business-
historical or legal reasons.

Keep in mind when answering:

1. Whether someone is responsible for this policy.
2. Or be connected to general security standards.
3. Whether the particular or sensitive nature of data is taken into
account.
4. Whether the security policy is being reviewed.

Think of the measures that are taken to comply with the policy
described (an information security plan).

The Guidelines for the Protection of Personal Data explain how the
Data Protection Authority uses the security standards from the
GDPR when examining and assessing the security of personal data in
individual cases. The Guidelines refer to and are linked to generally
accepted security standards, such as ISO / IEC 27001/27002 and
NEN 7510.

A duty to report for data leaks is included in the GDPR. This

obligation to notify means that companies, authorities and other
organizations that process personal data must report data breaches
under certain conditions to the Supervisory Authority and in certain
cases also to the data subject. The person concerned is the person
whose personal data has been leaked.

Organizations must make a well-considered decision whether a

concrete data breach (including data leaks on processors) falls under
the statutory reporting obligation. The aim of the guidelines is to
support them in this. These guidelines also serve as a starting point
for the Supervisory Authority when applying enforcement
measures.
Yes

Continue; since there is processing of personal data you must

answer further questions..

Continue.

You can stop. Of course, you can use this PIA to gain a better
understanding of the risks of the project and thereby make your
own risk (in the role of processor or as involved in the project)
transparent.

Continue.

Continue.

You run an increased risks, the impact of your project on the people
involved and the way in which they will react is difficult to estimate.
This could lead to an increased risk of reputation damage,
disruption of business continuity, and actions by enforcers and
supervisors.

You run an increased risks, the impact of your project on the people
involved and the way in which they will react is difficult to estimate.
This could lead to an increased risk of reputation damage, ,
disruption of business continuity, and actions by enforcers and
supervisors.

You run an increased risk, the impact of your project on the people
involved and the way in which they will react is difficult to estimate.
This could lead to an increased risk of image damage, disruption of
business continuity, and actions by enforcers and supervisors.

You run an increased risks, the impact of your project on the people
involved and the way in which they will react is difficult to estimate.
This could lead to an increased risk of image damage, disruption of
business continuity, and actions by enforcers and supervisors.
Your risk profile changes. You are advised to perform a compliance
check. Such projects require a good assessment of the
consequences in terms of privacy.
Your risk profile changes. You are advised to perform a compliance
check. Such projects require a good assessment of the
consequences in terms of privacy.
Your risk profile changes. You are advised to perform a compliance
check. Such projects require a good assessment of the
consequences in terms of privacy.

You can stop. The (possible) privacy risks of your processing are low.
The further execution of this PIA therefore has little added value.
Pay attention! You must, however, comply with the requirements of
the GDPR. This can be determined through a compliance check.

You run an increased risk. The more laws and regulations, the higher
the risk that you do not comply with this.
A large number of laws and regulations also indicate the social
importance that is attached to the subject.
You are advised to identify the applicable laws and regulations and
to clarify the (privacy) consequences.

You run an increased risk. The way in which societal stakeholders

respond varies, which may delay the project.
You are advised to make a plan in which you indicate how the
various stakeholders are involved in the project or are informed
about the project.

You run an increased risk.

There is a risk that not all parties carefully handle data collected
during the project.
There is also a risk that the parties will assess the risks and the effort
required to reduce them differently.

Continue.

Continue.

You run an increased risk by using personal data. By using

anonymised and / or pseudonymised data you are no longer
covered by the GDPR regime. After all, you no longer process
personal data. By anonymizing or pseudonymizing the data, you can
minimize taking further measures to protect the privacy of those
involved. You are advised to periodically check whether the data can
not be indirectly identifying.
You run an increased risk. There is a risk that the people involved or
general opinion see this as a potential threat to their privacy. Even if
the data is not used for this purpose, there is a risk that this will
happen (in the future).
The approval of the Works Council is required for the introduction
of a personnel tracking system.

Working with this type of data entails an increased risk of abuse that
has a (potentially large) impact on the data subject and therefore
calls for better security. Processing this data is only allowed under
certain legal conditions.

Working with this type of data entails an increased risk of abuse that
has a (potentially large) impact on the data subject and therefore
calls for better security. The processing of this data is only permitted
under certain legal conditions.

The processing of a unique personal number prescribed by law such

as the BSN is prohibited. You may only process this number if you
have a legal basis for this. For government organizations, this
statutory basis is laid down in the: Wet algemene bepalingen
burgerservicenummer (Wabb).

Working with this type of data entails an increased risk of abuse that
has a (potentially large) impact on the data subject and therefore
requires better security.

You run an increased risk. There is a risk that those involved may
want to cooperate less quickly, or that the trust in the organization
decreases.
You are advised to use other less intrusive data.
Moreover, your organization runs compliance risks if this is the case.

You run an increased risk. If these data is misused, this results in

negative public perception of the organization.
You are advised to take measures at a higher level of security and
to allow data subjects to withdraw from the processing.
You run an increased risk. The chance of data misuse increases as
you process more data.
You are advised to take measures at a higher level of security.

You run an increased risk.

Provide a clear description of the tasks and responsibilities related
to the data describing, among other things:
- Data security.
- Handling of errors.
- Reporting back errors.
- Coordination of security policy.
- Control.
Provide a clear data description.
You run an increased risk. The more parties involved, the greater
the chance of data loss, lack of clarity in responsibilities, the use of
the data for other purposes and the chance of errors.
Provide a clear description of the tasks and responsibilities related
to the data describing, among other things:
- The security of data and its coordination between the parties.
- The data quality.
- Handling of errors.
- Error reporting.
- Control.
Also provide a clear data description. Record agreements
contractually.

You are advised to check to what extent an adequate level of

protection is provided by the country or organization concerned.
Make written agreements about how this level of protection can be
maintained.

Continue.

You are running a compliance risk. The use of data from commercial
targets requires additional requirements.

You are advised to check whether the data can be collected in

another way.

Continue.
Continue.

Continue.

Continue.

You run an increased risk.

If the impact of the withdrawal of consent is large, there is probably
no question of free expression. You therefore run a compliance risk .

Continue with question 4.5.2

Continue with question 4.6

Continue.

Continue.
You run an increased risk. If data subjects are surprised by data
processing, for example because more data is collected than is
necessary at first sight, or because the further use is not in line with
the purpose of collecting, there is a risk that the data subject will
not provide the data or object. against the use.
You are advised to check whether the data can be collected by other
means, whether less data can be collected or if the goals of further
use are in line with the purpose of collecting.

Continue.

Continue with question 5.2.1

Continue.

Continue.

Continue with question 5.4.1

Continue.

You run an increased risk that the data will be used or will be used
in the future for purposes other than those for which it was
originally collected (function creep).
You are advised to take measures to prevent or make this so-called
function creep impossible, for example by applying strict retention
periods.

You run an increased risk. The dissemination of data within the

organization increases the risk that the data will be used for cases
where they are not meant for or fall into the hands of people who
are not authorized for this.
Provide a clear description of the tasks and responsibilities related
to the data describing, among other things:
- Data security.
- Handling of errors.
- Error reporting.
- Coordination of guidance policy.
- Control.
Provide a clear data description.

You run an increased risk. The more parties involved, the greater
the chance of data loss, lack of clarity in responsibilities, the use of
the data for other purposes and the chance of errors.
Provide a clear description of the tasks and responsibilities related
to the data describing, among other things:
- The security of data and its coordination between the parties.
- The data quality.
- Handling of errors.
- Error reporting.
- Control.
Also provide a clear data description. Record agreements
contractually.
Continue.

Continue with question 5.8.1

You run an increased risk. Making decisions based on a particular

profiling can be interpreted as discrimination against certain
population groups, age groups or other groups.
Make sure that - if you do use profiling - it is clear:
- Based on which these profiles are drawn up.
- Which decisions are made in which way on the basis of the
profiles.
- Whether sensitive information can be derived from profiles.
Also ensure that stakeholders are informed about this profiling and
possible decisions if necessary.

Continue.

Continue.

Continue.

Continue.
Continue with 6.2.1.

Continue.

Continue.

Continue.

Continue.

Continue.

End questionnaire.
No Yes No

You can stop.

You run an increased risk..
There is a risk that it is not clear who is responsible for executing the
required measures to cover risks and that the risks might not be
covered.
In addition, you run a compliance risk because there are various
legal obligations for the controller and there is a risk that not all
legal obligations will be complied with.

Determine who (business unit, person) is responsible within your

organization.

There is a risk that the measures will no longer be maintained in the

future or will no longer fit the situation.

A SMART defined objective is essential for making choices for setting

up high-quality data processing.
In addition, your organization runs compliance risks if the goal is not
described with sufficient precision

Continue.

Continue.

Continue.

Continue.
Continue.

Continue.

Continue.

Continue.

Continue.

Continue.

Continue.

You run an increased risk. An (independent) party in which disputes

can be settled contributes to improving the information, image and
balanced representation of interests.
You are advised to appoint a contact point for questions and
complaints and, where possible, to join a dispute resolution
arrangement.

Processing as little data as possible has a number of advantages:

- The required storage and computing capacity of your computer
systems is lower, so performance, recovery times and service levels
can be increased.
- You will have to maintain and update less data and the chance of
errors will be reduced.
In addition, your organization runs compliance risks if you collect
too much data for the purpose.

Continue.
Continue.

Continue.

Continue.

Continue.

Continue.

Continue.

Continue.

Continue.

Continue.
Continue.

Continue.

If information is provided to other parties for a purpose other than

that for which they were collected, there is a risk that these data is
not suitable for the purpose and that data subjects are harmed by
the further dissemination of the data.
You may have a compliance risk (see Article 9, paragraph 1 and 2 of
the Dutch Data Protection Act).

Continue.

Continue.

The processing of data without being publicly known or made public

involves a high risk for the involved party.
You are advised to weigh a balance of interests or the purpose of
the processing outweighs the risks for those involved.
A legal basis is necessary for the processing of personal data. If this
is missing, you run compliance risk.

You run an increased risk. If the person concerned is surprised by

the processing without permission, there is a risk that he may
object.

You run an increased risk. If you can not comply with requests from
data subjects to stop processing data or because you do not offer
this possibility, this can lead to irritation of the data subjects or
costly adjustments in systems. You are advised to allow those
involved to withdraw the permission and to make this technically
possible.

Continue.

Continue with question 4.5.1

Providing information about what data is collected contributes to

transparency and inspires confidence among those involved. In
addition, you run a compliance risk if the information is not
provided.
Continue with question 4.6.

Providing information about what you are going to do with the

collected data contributes to transparency and inspires confidence
among those involved. In addition, you run a compliance risk if the
information is not provided.

You are advised to record (per transmission) to whom data is

provided. You are also advised to tell the data subjects at the time
the data is collected to which parties the data will be provided.
Lastly, you are advised to tell him - if those involved ask - what
information was provided when and to whom.
Continue.

The use of the data must be in accordance with the purpose of the
processing. If this is not the case, there is a risk that the data is not
suitable for the purpose because, for example, the quality is not
good.
You run a compliance risk if you do not comply with this.

Continue with question 5.3

The use of the data must be in accordance with the purpose of the
processing.
You run a compliance risk if you do not comply with this.

You run an increased risk. It is important that the processed data is

correct to ensure that no incorrect conclusions are made or wrong
actions are taken.
With this you also run a compliance risk.

Continue with question 5.5

There is an increased risk that erroneous decisions are made on the
basis of the data, which may result in damage to the data subjects
or the organization if data is incorrect, out of date or incomplete.

Continue.

Continue.

Continue with question 5.8

You run an increased risk. When providing data outside the
organization it is important that the person concerned is aware of
this and that measures have been taken to protect the data. You
also run a compliance risk.

Continue with question 5.9

Continue.

You run an increased risk. Data subjects have the right to view their
data. It is important that you yourself have a clear overview of the
data that is processed and where it is located within the
organization.
You also run a compliance risk as it is mandatory to provide
interested parties (upon request, possibly for a reasonable fee)
inspection.

You run an increased risk. Providing a correction option improves

data quality. If corrections can not be made, the data quality
deteriorates and the data is eventually (possibly) no longer suitable.
You also run a compliance risk with this.

You run an increased risk. Data subjects have the right to request
data removal. If there are no compelling reasons not to do this, this
should also be done. In other cases, the data subject has the right to
be informed of the reason for (partly) not complying with the
request.
With this you are running a compliance risk.

You run an increased risk. If data is stored infinitely, the risk of using
it is increased by unauthorized persons. It also entails costs to keep
(and maintain) the data.
With this you also run a compliance risk. You only need to keep data
for as long as necessary to meet the objectives. You can keep
anonymous data after this period.
You run an increased risk. If data is stored infinitely, the risk of using
it is increased by unauthorized persons. It also entails costs to keep
(and maintain) the data.
In addition, it is desirable (and in many cases obligatory) to delete
data at the request of the person concerned.
With this you are running a compliance risk. You only need to keep
data for as long as necessary to meet the objectives.
You are advised to destroy the data after it is no longer needed (if a
legal obligation to keep it is not in the way) or if this is not possible
to anonymise.
Continue with question 7.1.

Keeping data as short as possible has a number of advantages.

- The required storage and computing capacity of your computer
systems is lower, so performance, recovery times and service levels
can be increased.
- You will have to maintain and update less data and the chance of
errors will be reduced.
There is also a risk that the data will be used for purposes other
than those originally collected and stored. Your organization also
runs compliance risks if you store too much data for the purpose.
You are advised to determine per data carrier how the data should
be destroyed.

Security policy is necessary for making choices and taking measures

that secure the data effectively and efficiently.
Continue with question 8.1.

You are advised to draw up an information security plan containing

measures that ensure adequate protection of the data. Continue
with question 8.1.

You are advised to still check whether and to what extent the
security of the personal data is guaranteed in line with the
requirements of the Guidelines and with relevant security
standards.

Measures are necessary to provide a structured and adequate

implementation of the legal obligation to report data leaks. You are
advised to take measures.
End of questionnaire.

You are advised to still test whether and if so to what extent the
obligation to report data leaks are in line with the requirements of
the Guidelines.
End of questionnaire.
 0
Risk
Comment / explanation 1=Yes
0=No

0
0

0
0

0
0

0
0

0
0

0
0

0
0

0
0