NIST Privacy Framework V 1.
0 CORE mapping to the
EU Regulation 2016/679 (General Data Protection Regulation)
Mapped elements represent where the GDPR article requires a control that would fall under the NIST
Core subcategory or a control under the NIST Core subcategory would support activities under the
GDPR article. For instance, inventorying data elements under ID.IM-P6 would be part of the records of
processing for under Article(30)(1)(c) and would generally help demonstrate compliance
('accountability') as required by Article (5)(2).
Function
IDENTIFY-P (ID-P): Develop the Inventory and Mapping (ID.IM-P): Data
organizational understanding processing by systems, products, or
to manage privacy risk for
individuals arising from data management of privacy risk.
processing.
GOVERN-P (GV-P): Develop and Governance Policies, Processes, and
implement the organizational Procedures (GV.PO-P): The policies,
governance structure to enable processes, and procedures to manage and such as data uses or retention periods,
an ongoing understanding of monitor the organization’s regulatory,
the organization’s risk
management priorities that
are informed by privacy risk. the management of privacy risk.
CONTROL-P (CT-P): Develop
and implement appropriate
activities to enable
organizations or individuals to
manage data with sufficient
granularity to manage privacy
risks.
COMMUNICATE-P (CM-P):
Develop and implement
appropriate activities to enable
organizations and individuals to
have a reliable understanding
and engage in a dialogue about
how data are processed and
associated privacy risks.
PROTECT-P (PR-P): Develop
and implement appropriate
data processing safeguards.
Thanks to those who contributed their comments!
Category
services is understood and informs the
Business Environment (ID.BE-P): The
organization’s mission, objectives,
stakeholders, and activities are
understood and prioritized; this
information is used to inform privacy
roles, responsibilities, and risk
management decisions.
Risk Assessment (ID.RA-P): The
organization understands the privacy risks
to individuals and how such privacy risks
may create follow-on impacts on
organizational operations, including
mission, functions, other risk
management priorities (e.g., compliance,
financial), reputation, workforce, and
culture.
Data Processing Ecosystem Risk
Management (ID.DE-P): The
organization’s priorities, constraints, risk
tolerance, and assumptions are
established and used to support risk
decisions associated with managing
privacy risk and third parties within the
data processing ecosystem. The
organization has established and
implemented the processes to identify,
assess, and manage privacy risks within
the data processing ecosystem.
GV.PO-P1: Organizational privacy values and
policies (e.g., conditions on data processing
individuals’ prerogatives with respect to data
legal, risk, environmental, and operational processing) are established and communicated.
requirements are understood and inform
GV.PO-P2: Processes to instill organizational
privacy values within system/product/service
development and operations are established
and in place.
Risk Management Strategy (GV.RM-P):
The organization’s priorities, constraints, established, managed, and agreed to by
risk tolerances, and assumptions are
established and used to support
operational risk decisions.
Awareness and Training (GV.AT-P): The
organization’s workforce and third parties
engaged in data processing are provided
privacy awareness education and are
trained to perform their privacy-related
duties and responsibilities consistent with
related policies, processes, procedures,
and agreements and organizational
privacy values.
Monitoring and Review (GV.MT-P): The
policies, processes, and procedures for
ongoing review of the organization’s
privacy posture are understood and
inform the management of privacy risk.
Data Processing Policies, Processes, and CT.PO-P1: Policies, processes, and procedures
Procedures (CT.PO-P): Policies, processes, for authorizing data processing (e.g.,
and procedures are maintained and used organizational decisions, individual consent),
to manage data processing (e.g., purpose, revoking authorizations, and maintaining
scope, roles and responsibilities in the authorizations are established and in place.
data processing ecosystem, and
management commitment) consistent
with the organization’s risk strategy to
protect individuals’ privacy.
Data Processing Management (CT.DM-P): CT.DM-P1: Data elements can be accessed for
Data are managed consistent with the
organization’s risk strategy to protect
individuals’ privacy, increase
manageability, and enable the
implementation of privacy principles (e.g., transmission or disclosure.
individual participation, data quality, data
minimization).
Disassociated Processing (CT.DP-P): Data
processing solutions increase
disassociability consistent with the
organization’s risk strategy to protect
individuals’ privacy and enable
implementation of privacy principles (e.g.,
data minimization).
Communication Policies, Processes, and CM.PO-P1: Transparency policies, processes,
Procedures (CM.PO-P): Policies, and procedures for communicating data
processes, and procedures are maintained processing purposes, practices, and associated
and used to increase transparency of the privacy risks are established and in place.
organization’s data processing practices
(e.g., purpose, scope, roles and
responsibilities in the data processing
ecosystem, and management
commitment) and associated privacy risks.
Data Processing Awareness (CM.AW-P): CM.AW-P1: Mechanisms (e.g., notices, internal
Individuals and organizations have reliable or public reports) for communicating data
knowledge about data processing
practices and associated privacy risks, and privacy risks, and options for enabling
effective mechanisms are used and
maintained to increase predictability
consistent with the organization’s risk
strategy to protect individuals’ privacy.
Data Protection Policies, Processes, and PR.PO-P1: A baseline configuration of
Procedures (PR.PO-P): Security and
privacy policies (e.g., purpose, scope, roles maintained incorporating security principles
and responsibilities in the data processing (e.g., concept of least functionality).
ecosystem, and management
commitment), processes, and procedures PR.PO-P2: Configuration change control
are maintained and used to manage the processes are established and in place.
protection of data.
Identity Management, Authentication,
and Access Control (PR.AC-P): Access to managed, verified, revoked, and audited for
data and devices is limited to authorized authorized individuals, processes, and devices.
individuals, processes, and devices, and is
managed consistent with the assessed risk PR.AC-P2: Physical access to data and devices is
of unauthorized access.
Data Security (PR.DS-P): Data are
managed consistent with the
organization’s risk strategy to protect
individuals’ privacy and maintain data
confidentiality, integrity, and availability.
Maintenance (PR.MA-P): System
maintenance and repairs are performed
consistent with policies, processes, and
procedures.
Protective Technology (PR.PT-P): PR.PT-P1: Removable media is protected and its Art. 5(1)(f): Integrity and Confidentiality
Technical security solutions are managed use restricted according to policy.
to ensure the security and resilience of
systems/products/services and associated PR.PT-P2: The principle of least functionality is Art. 5(1)(b): Purpose Limitation
data, consistent with related policies, incorporated by configuring systems to provide Art. 5(1)(c): Data Minimization
processes, procedures, and agreements. only essential capabilities.
Chapter II - Principles
Subcategory
ID.IM-P1: Systems/products/services that
process data are inventoried.
ID.IM-P2: Owners or operators (e.g., the
organization or third parties such as service
providers, partners, customers, and developers)
and their roles with respect to the
systems/products/services and components
(e.g., internal or external) that process data are
inventoried.
ID.IM-P3: Categories of individuals (e.g.,
customers, employees or prospective
employees, consumers) whose data are being
processed are inventoried.
ID.IM-P4: Data actions of the
systems/products/services are inventoried.
ID.IM-P5: The purposes for the data actions are Art. 5(2): Accountability
inventoried. Art. 5(1)(a): Lawful, Fair and Transparent
ID.IM-P6: Data elements within the data actions Art. 5(2): Accountability
are inventoried.
ID.IM-P7: The data processing environment is
identified (e.g., geographic location, internal,
cloud, third parties).
ID.IM-P8: Data processing is mapped,
illustrating the data actions and associated data
elements for systems/products/services,
including components; roles of the component
owners/operators; and interactions of
individuals or third parties with the
systems/products/services.
ID.BE-P1: The organization’s role(s) in the data
processing ecosystem are identified and
communicated.
ID.BE-P2: Priorities for organizational mission,
objectives, and activities are established and
communicated.
ID.BE-P3: Systems/products/services that
support organizational priorities are identified
and key requirements communicated.
ID.RA-P1: Contextual factors related to the
systems/products/services and the data actions
are identified (e.g., individuals’ demographics
and privacy interests or perceptions, data
sensitivity and/or types, visibility of data
processing to individuals and third parties).
ID.RA-P2: Data analytic inputs and outputs are
identified and evaluated for bias.
ID.RA-P3: Potential problematic data actions
and associated problems are identified.
ID.RA-P4: Problematic data actions, likelihoods, Art. 6: Lawfulness of Processing
and impacts are used to determine and
prioritize risk.
ID.RA-P5: Risk responses are identified,
prioritized, and implemented.
ID.DE-P1: Data processing ecosystem risk
management policies, processes, and
procedures are identified, established, assessed,
managed, and agreed to by organizational
stakeholders.
ID.DE-P2: Data processing ecosystem parties
(e.g., service providers, customers, partners,
product manufacturers, application developers)
are identified, prioritized, and assessed using a
privacy risk assessment process.
ID.DE-P3: Contracts with data processing
ecosystem parties are used to implement
appropriate measures designed to meet the
objectives of an organization’s privacy program.
ID.DE-P4: Interoperability frameworks or similar
multi-party approaches are used to manage
data processing ecosystem privacy risks.
ID.DE-P5: Data processing ecosystem parties are Art. 5(1)(f): Integrity and Confidentiality
routinely assessed using audits, test results, or Art. 5(2): Accountability
other forms of evaluations to confirm they are
meeting their contractual, interoperability
framework, or other obligations.
Art. 6: Lawfulness of Processing
GV.PO-P3: Roles and responsibilities for the
workforce are established with respect to
privacy.
GV.PO-P4: Privacy roles and responsibilities are Art. 5(1)(f): Integrity and Confidentiality
coordinated and aligned with third-party
stakeholders (e.g., service providers, customers,
partners).
GV.PO-P5: Legal, regulatory, and contractual Art. 5(1)(f): Integrity and Confidentiality
requirements regarding privacy are understood Art. 6: Lawfulness of Processing
and managed.
GV.PO-P6: Governance and risk management
policies, processes, and procedures address
privacy risks.
GV.RM-P1: Risk management processes are
organizational stakeholders.
GV.RM-P2: Organizational risk tolerance is
determined and clearly expressed.
GV.RM-P3: The organization’s determination of
risk tolerance is informed by its role(s) in the
data processing ecosystem.
GV.AT-P1: The workforce is informed and
trained on its roles and responsibilities.
GV.AT-P2: Senior executives understand their
roles and responsibilities.
GV.AT-P3: Privacy personnel understand their
roles and responsibilities.
GV.AT-P4: Third parties (e.g., service providers, Art. 5(1)(f): Integrity and Confidentiality
customers, partners) understand their roles and Art. 5(2): Accountability
responsibilities.
GV.MT-P1: Privacy risk is re-evaluated on an
ongoing basis and as key factors, including the
organization’s business environment (e.g.,
introduction of new technologies), governance
(e.g., legal obligations, risk tolerance), data
processing, and systems/products/services
change.
GV.MT-P2: Privacy values, policies, and training
are reviewed and any updates are
communicated.
GV.MT-P3: Policies, processes, and procedures
for assessing compliance with legal
requirements and privacy policies are
established and in place.
GV.MT-P4: Policies, processes, and procedures
for communicating progress on managing
privacy risks are established and in place.
GV.MT-P5: Policies, processes, and procedures
are established and in place to receive, analyze,
and respond to problematic data actions
disclosed to the organization from internal and
external sources (e.g., internal discovery,
privacy researchers, professional events).
GV.MT-P6: Policies, processes, and procedures
incorporate lessons learned from problematic
data actions.
GV.MT-P7: Policies, processes, and procedures
for receiving, tracking, and responding to
complaints, concerns, and questions from
individuals about organizational privacy
practices are established and in place.
CT.PO-P2: Policies, processes, and procedures
for enabling data review, transfer, sharing or
disclosure, alteration, and deletion are
established and in place (e.g., to maintain data
quality, manage data retention).
CT.PO-P3: Policies, processes, and procedures Art. 7(3): Right to withdraw consent
for enabling individuals’ data processing
preferences and requests are established and in
place.
CT.PO-P4: A data life cycle to manage data is
aligned and implemented with the system
development life cycle to manage systems.
review.
CT.DM-P2: Data elements can be accessed for
CT.DM-P3: Data elements can be accessed for
alteration.
CT.DM-P4: Data elements can be accessed for
deletion.
CT.DM-P5: Data are destroyed according to
policy.
CT.DM-P6: Data are transmitted using
standardized formats.
CT.DM-P7: Mechanisms for transmitting
processing permissions and related data values Art. 5(1)(c): Data Minimization
with data elements are established and in place. Art. 5(1)(e): Storage Limitation
CT.DM-P8: Audit/log records are determined,
documented, implemented, and reviewed in
accordance with policy and incorporating the
principle of data minimization.
CT.DM-P9: Technical measures implemented to
manage data processing are tested and
assessed.
CT.DM-P10: Stakeholder privacy preferences
are included in algorithmic design objectives
and outputs are evaluated against these
preferences.
CT.DP-P1: Data are processed to limit
observability and linkability (e.g., data actions
take place on local devices, privacy-preserving
cryptography).
CT.DP-P2: Data are processed to limit the
identification of individuals (e.g., de-
identification privacy techniques, tokenization). Art. 11(1): Processing not requiring identification
CT.DP-P3: Data are processed to limit the
formulation of inferences about individuals’
behavior or activities (e.g., data processing is
decentralized, distributed architectures).
CT.DP-P4: System or device configurations
permit selective collection or disclosure of data Art. 5(1)(c): Data Minimization
elements.
CT.DP-P5: Attribute references are substituted
for attribute values.
CM.PO-P2: Roles and responsibilities (e.g.,
public relations) for communicating data
processing purposes, practices, and associated
privacy risks are established.
processing purposes, practices, associated
individuals’ data processing preferences and
requests are established and in place.
CM.AW-P2: Mechanisms for obtaining feedback Art. 5(1)(f): processed in a manner that ensures appropriate Art. 12: Controller obligations to notice (data subject
from individuals (e.g., surveys or focus groups) security of the personal data, including protection against exercise of rights)
about data processing and associated privacy
risks are established and in place.
CM.AW-P3: System/product/service design
enables data processing visibility.
CM.AW-P4: Records of data disclosures and
sharing are maintained and can be accessed for
review or transmission/disclosure.
CM.AW-P5: Data corrections or deletions can
be communicated to individuals or
organizations (e.g., data sources) in the data
processing ecosystem.
CM.AW-P6: Data provenance and lineage are
maintained and can be accessed for review or
transmission/disclosure.
CM.AW-P7: Impacted individuals and
organizations are notified about a privacy
breach or event.
CM.AW-P8: Individuals are provided with
mitigation mechanisms (e.g., credit monitoring,
consent withdrawal, data alteration or deletion)
to address impacts of problematic data actions.
information technology is created and
PR.PO-P3: Backups of information are
conducted, maintained, and tested.
PR.PO-P4: Policy and regulations regarding the
physical operating environment for
organizational assets are met.
PR.PO-P5: Protection processes are improved.
PR.PO-P6: Effectiveness of protection
technologies is shared.
PR.PO-P7: Response plans (Incident Response
and Business Continuity) and recovery plans
(Incident Recovery and Disaster Recovery) are
established, in place, and managed.
PR.PO-P8: Response and recovery plans are
tested.
PR.PO-P9: Privacy procedures are included in
human resources practices (e.g., deprovisioning, personnell to execute confidentiality agreements]
personnel screening).
PR.PO-P10: A vulnerability management plan is
developed and implemented.
PR.AC-P1: Identities and credentials are issued,
managed.
PR.AC-P3: Remote access is managed.
PR.AC-P4: Access permissions and
authorizations are managed, incorporating the
principles of least privilege and separation of
duties.
PR.AC-P5: Network integrity is protected (e.g.,
network segregation, network segmentation).
PR.AC-P6: Individuals and devices are proofed
and bound to credentials, and authenticated
commensurate with the risk of the transaction
(e.g., individuals’ security and privacy risks and
other organizational risks).
PR.DS-P1: Data-at-rest are protected.
PR.DS-P2: Data-in-transit are protected.
PR.DS-P3: Systems/products/services and Art. 5(1)(c): Data Minimization
associated data are formally managed Art. 5(1)(e): Storage Limitation
throughout removal, transfers, and disposition. Art. 5(1)(f): Integrity and Confidentiality
PR.DS-P4: Adequate capacity to ensure
availability is maintained.
PR.DS-P5: Protections against data leaks are
implemented.
PR.DS-P6: Integrity checking mechanisms are
used to verify software, firmware, and
information integrity.
PR.DS-P7: The development and testing
environment(s) are separate from the
production environment.
PR.DS-P8: Integrity checking mechanisms are
used to verify hardware integrity.
PR.MA-P1: Maintenance and repair of
organizational assets are performed and logged,
with approved and controlled tools.
PR.MA-P2: Remote maintenance of
organizational assets is approved, logged, and
performed in a manner that prevents
unauthorized access.
Art. 5(1)(e): Storage Limitation
PR.PT-P3: Communications and control
networks are protected.
PR.PT-P4: Mechanisms (e.g., failsafe, load
balancing, hot swap) are implemented to
achieve resilience requirements in normal and
adverse situations.
Limitations
Articles 5-11
Art. 5(2): Accountability
Art. 5(2): Accountability
Art. 5(2): Accountability
Art. 5(2): Accountability
Art. 5(1)(b): Purpose Limitation
Art. 5(1)(c): Data Minimization
Art. 5(1)(e): Storage Limitation
Art. 5(2): Accountability
Art. 5(2): Accountability
Art. 5(1)(a): Lawfulness, Fairness and Transparency
Art. 5(1)(f): Integrity and Confidentiality
Art. 11(2): Processing not requiring identification
Art. 5(1)(b): Purpose limitation
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(a): Lawfulness, Fairness and Transparency
Art. 6: Lawfulness of Processing
Art. 5(2): Accountability
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(2): Accountability
Art. 5(2): Accountability
Art. 5(2): Accountability
Art. 11(2): Processing not requiring identification
Art. 5(1)(a): Lawful, Fair and Transparent
Art. 5(1)(b): Purpose Limitation
Art. 6: Lawfulness of Processing
Art. 7: Conditions of Consent
Art. 8: Child's cosent
Art. 9: Processing special categories of data
Art. 10: Processing criminal data
Art. 5(1)(d): Accuracy
Art. 5(2): Accountability
Art. 7(3): Right to withdraw consent
Art. 5(1)(d): Accuracy
Art. 5(1)(d): Accuracy
Art. 5(1)(d): Accuracy
Art. 5(1)(c): Data Minimization
Art. 5(1)(d): Accuracy
Art. 5(1)(c): Data Minimization
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(d): Accuracy
Art. 5(1)(b): Purpose Limitation
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(2): Accountability
Art. 5(1)(c): Data Minimization
Art. 5(1)(e): Storage Limitation
Art. 5(1)(c): Data Minimization
Art. 5(1)(e): Storage Limitation
Art. 5(1)(a): Lawful, Fair and Transparent
Art. 5(1)(b): Purpose Limitation
Art. 5(1)(c): Data Minimization
Art. 5(1)(e): Storage Limitation
Art. 5(1)(b): Purpose Limitation
Art. 5(1)(c): Data Minimization
Art. 5(1)(e): Storage Limitation
Art. 11(1): Processing not requiring identification
Art. 11(2): Where, in cases referred to in paragraph 1 of this Art. 12(1): Clear and plain language
Article, the controller is able to demonstrate that it is not in a Art. 12(7): Icons
position to identify the data subject, the controller shall
inform the data subject accordingly, if possible. In such
cases, Articles 15 to 20 shall not apply except where the data
subject, for the purpose of exercising his or her rights under
those articles, provides additional information enabling his or
her identification.
Art. 11(2): Where, in cases referred to in paragraph 1 of this Art. 12(1): Clear and plain language
Article, the controller is able to demonstrate that it is not in a Art. 12(7): Icons
position to identify the data subject, the controller shall
inform the data subject accordingly, if possible. In such
cases, Articles 15 to 20 shall not apply except where the data
subject, for the purpose of exercising his or her rights under
those articles, provides additional information enabling his or
her identification.
Art. 7: Conditions of Consent
Art. 11(2): Where, in cases referred to in paragraph 1 of this Art. 12(7): Icons
Article, the controller is able to demonstrate that it is not in a
position to identify the data subject, the controller shall
inform the data subject accordingly, if possible. In such
cases, Articles 15 to 20 shall not apply except where the data
subject, for the purpose of exercising his or her rights under
those articles, provides additional information enabling his or
her identification.
unauthorised or unlawful processing and against accidental
loss, destruction or damage, using appropriate technical or
organizational measures ('integrity and confidentiality').
Art. 11(2): Processing not requiring identification [Exception Art. 12(1): Clear and plain language
to data processing visilibity]
Art. 11(2): Where, in cases referred to in paragraph 1 of this Art. 12(1): Clear and plain language
Article, the controller is able to demonstrate that it is not in a Art. 12(7): Icons
position to identify the data subject, the controller shall
inform the data subject accordingly, if possible. In such
cases, Articles 15 to 20 shall not apply except where the data
subject, for the purpose of exercising his or her rights under
those articles, provides additional information enabling his or
her identification.
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(2): Accountability
Art. 5(1)(d): Accuracy
Art. 5(1)(b): Purpose Limitation
Art. 5(1)(c): Data Minimization
Art. 5(1)(f): Integrity and Confidentiality
Art. 11(2): Where, in cases referred to in paragraph 1 of this Art. 12(1): Clear and plain language
Article, the controller is able to demonstrate that it is not in a Art. 12(7): Icons
position to identify the data subject, the controller shall
inform the data subject accordingly, if possible. In such
cases, Articles 15 to 20 shall not apply except where the data
subject, for the purpose of exercising his or her rights under
those articles, provides additional information enabling his or
her identification.
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality [requiring
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(b): Purpose limitation
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 6(4)(e): Processing in the public interest
(deidentification of data after primary purpose but further in
public interest)
Art. 11(1): Processing not requiring identification
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
Art. 5(1)(f): Integrity and Confidentiality
While every effort has been made to be complete and provide as much detail as necessary, no guarantee or warranty is provided on the accuracy or completeness of this mapping. You should use it as a starting point for your own analysis.
Chapter III- Rights of the Data Subject
Section 1 Section 2
Transparency and Modalities Information and Access to
Information
Article 12 Articles 13-15
Art. 12(1): Clear and plain language Art. 13: Notice to data subjects
Art. 12(7): Icons Art. 14: Notice to data subjects
Art. 15(3): Right of Access - copy of data
[Note who has oblighations under these articles]
Art. 13(2)(f): Notification of automated decision making
Art. 14(2)(g): Notification of automated decision making
Art. 12(1): Clear and plain language Art. 15(3): Right of Access - copy of data
Art. 12(7): Icons
Art. 12(3-6): Right to notice Art. 15: Right of Access
Art. 12(2): Controller obligation to fulfill rights of data
subject (especially around revocation of authorization)
Art. 12(2): Controller obligation to fulfill rights of data Art. 13(2)(b): Notification of right to rectification or erasure Art. 16: Right to rectification
subject, Art. 13(2)(c): Notification of right to withdraw consent
Art. 13(2)(f): Notification of automated decision making
Art. 14(2)(c): Notification of right to rectification or erasure Art. 20: Right to Data Portability
Art. 14(2)(d): Notification of right to withdraw consent
Art. 14(2)(g): Notification of automated decision making
Art. 15: Right of access
Art. 12(2): Controller obligation to fulfill rights of data Art. 13(2)(f): Notification of automated decision making
subject Art. 13)(2)(b): Notification of right to erasure
Art. 13(2)(c): Notification of right to withdraw consent
Art. 14(2)(c): Notification of right to erasure
Art. 14(2)(d): Notification of right to withdraw consent
Art. 14(2)(g): Notification of automated decision making
Art. 15(3): Right of Access - copy of data
Art. 15(4): Right of access - not infringe rights of others
Art. 15(3): Right of Access - copy of data
Art. 15(3): Right of Access - copy of data
Art. 15(3): Right of Access - copy of data
Art. 15(3): Right of Access - copy of data
Art. 15(3): Right of Access - copy of data
Art. 13: Notification where data collected from data subject Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object
Art. 14: Notification where data collected not from data
subject
Art. 15: Right of Access
Art. 13: Notification where data collected from data subject Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object
Art. 14: Notification where data collected not from data
subject
Art. 15: Right of Access
Art. 12(1): Clear and plain language Art. 13: Notification where data collected from data subject Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object
Art. 14: Notification where data collected not from data
subject
Art. 15: Right of Access
Art. 15: Right of Access
Art. 13: Notification where data collected from data subject Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object
Art. 12(7): Icons Art. 14: Notification where data collected not from data
subject
Art. 15: Right of Access
Art. 13(3): Notice to data subjects of additional processing
Art. 14(4): Notice to data subjects of additional processing
Art. 15(3): Right of Access - copy of data
Art. 13(2)(b): Notification of right to rectification or erasure Art. 16: Right to Rectification
Art. 14(2)(c): Notification of right to rectification or erasure Art. 17: Right of Erasure
Art. 15(3): Right of Access - copy of data
Art. 13: Notice to data subjects
Art. 14: Notice to data subjects
Chapter IV - Controllers and Processors Chapter V - Transfers
Section 3 Section 4 Section 5 Section 1 Section 2 Section 3 Section 4 Section 5
Rectification and Erasure Right to object and automated Restrictions General Obligations Security of Personal Data DPIA DPO Certification and Codes of
decision-making Conduct
Articles 16-20 Article 21-22 Article 23 Articles 24-31 Articles 32-34 Article 35-36 Articles 37-39 Article 40-43 Articles 44-50
Art. 24(1): Responsibilities of Controller Art. 35: DPIA for high risk processing activities
Art. 30: Records of Processing
Art. 24(1): Responsibilities of Controller Art. 32(1)(d): Security of Processing - Regular testing of Art. 35(7)(a): Systematic description of the envisaged
Art. 26(1): Responsibilities of joint controllers effectiveness of controls processing operations
Art. 28(3): Processing based on documented instructions from the Art. 32(2): Security of Processing - Assessing appropriate Art. 35(7)(d): Safeguards, security measures and
controller level of security mechanisms to ensure the protection of personal data
Art. 28(4): Engaging subprocessor
Art. 30: Records of Processing
Art. 24(1): Responsibilities of Controller Art. 35: DPIA for high risk processing activities
Art. 30: Records of Processing
Art. 24(1): Responsibilities of Controller
Art. 30: Records of Processing
Art. 24(1): Responsibilities of Controller Art. 32.4: Security of Processing - individuals with access to Art. 35: DPIA for high risk data processing activites
Art. 30: Records of Processing data Art. 36: Prior Consultation
Art. 28(3)(a): Processor should process based on documented
instructions
Art. 28(4): Engaging subprocessor
Art. 29: Processor acting under authority of the controller (or other
processor)
Art. 24(1): Responsibilities of Controller Art. 35: DPIA for high risk data processing activities
Art. 30(1)(c): Records of Processing Art. 36: Prior Consultation
Art. 24(1): Responsibilities of Controller Art. 32(2): Security of Processing - Assessing appropriate Art. 35: DPIA for high risk data processing activities
Art. 28(3)(h): Processer makes available documentation to controller level of security Art. 36: Prior Consultation
Art. 30: Records of Processing
Art. 24(1): Responsibilities of Controller Art. 32(2): Security of Processing - Assessing appropriate Art. 35: DPIA for high risk data processing activities
Art. 28(3)(h): Processer makes available documentation to controller level of security Art. 36: Prior Consultation
Art. 30: Records of Processing
Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object Art. 24(3): Controller adherrance to codes of conduct or certification Art. 32(2): Security of Processing - Assessing appropriate Art. 40: Codes of Coduct
released to the public Art. 25(3): DPbDD certification level of security Art. 41: Monitoring codes of conduct
Art. 28(3)(a): Processor should process based on documented Art. 32(3): Security of Processing - Code of Conduct or Art. 42: Certification
instructions certification
Art. 28(3)(e): Processor to assist controller with technical and org.
measures
Art. 28(4): Processor use of subprocessor
Art. 28(5): Processor adherance to code of conduct
Art. 28(6): Processor use of standard contract clauses
Art. 28(10): Processor default to controller
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 32(3): Security of Processing - Code of Conduct or
certification
Art. 28(5): Processor adherance to code of conduct Art. 32(2): Security of Processing - Assessing appropriate Art. 40: Codes of Coduct
level of security Art. 41: Monitoring codes of conduct
Art. 42: Certification
Art. 25(1): DPbDD Design Art. 32(2): Security of Processing - Assessing appropriate Art. 35: DPIA for high risk data processing activities
level of security Art. 35(9): DPIA seek views of data subjects or their
representatives
Art. 22: Automated decision making Art. 25(1): DPbDD Design Art. 35: DPIA for high risk data processing activities
Art. 22: Automated decision making Art. 24(1): Responsibilities of Controller Art. 32(2): Security of Processing - Assessing appropriate
Art. 25(1): DPbDD Design level of security
Art. 24(1): Responsibilities of Controller Art. 32(2): Security of Processing - Assessing appropriate Art. 35: DPIA for high risk data processing activities
Art. 25(1): DPbDD Design level of security
Art. 24(1): Responsibilities of Controller Art. 32(2): Security of Processing - Assessing appropriate Art. 35: DPIA for high risk data processing activities
Art. 25(1): DPbDD Design level of security
Art. 24(1): Responsibilities of Controller Art. 32(1)(d): Security of Processing - Regular testing of Art. 35: DPIA for high risk data processing activities
Art. 24(2): Responsibilities of Controller - data protection policies effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 28(1): Controller to use processors providing sufficient guarantees Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 26: Joint Controllers Art. 32(1)(b): Security of Processing - ensure ongoing CIA Art. 35(1): DPIA High Risk assessment
Art. 28(1,3, 4,6 &9): Processors governed by contract
Art. 30(2)(d): Records of processing - processor to maintain records of
security measures
Art. 32: Security of Processing
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 24(1): Responsibilities of Controller Art. 32(1)(b): Security of Processing - Ensure ongoing CIA Art. 35(11): DPIA - Periodic review of DPIA
Art. 28(1,3,4 &9): Processors governed by contract
Art. 30(2)(d): Records of processing - processor to maintain records of
security measures
Art. 24(2): Controller - appropriate data protection policies
Art. 25(1): DPbDD Design
Art. 27: Representatives Art. 37: Data Protection Officer
Art. 38: DPO qualifications
Art. 39: Tasks of a DPO
Art. 28(1,3,4 &9): Processors governed by contract Art. 32(1)(b): Security of Processing - ensure ongoing CIA
Art. 30(2)(d): Records of processing - processor to maintain records of
security measures
Art. 23: Restrictions Art. 24(3): Controller adherrance to codes of conduct or certification Art. 32(1)(b): Security of Processing - Ensure ongoing CIA Art. 40: Codes of Coduct
Art. 25(3): DPbDD certification Art. 32(2): Security of Processing - Assessing appropriate Art. 41: Monitoring codes of conduct
Art. 28(3): Processors governed by contract level of security Art. 42: Certification
Art. 28(4): Processor use of subprocessor Art. 32(3): Security of Processing - Code of Conduct or
Art. 28(5): Processor adherance to code of conduct certification
Art. 28(6): Processor use of standard contract clauses
Art. 28(10): Processor default to controller
Art. 24(2): Responsibilities of Controller - data protection policies Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 24(1): Responsibilities of Controller Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 27: Representatives Art. 37: Data Protection Officer
Art. 38: DPO qualifications
Art. 39: Tasks of a DPO
Art. 27: Representatives Art. 37: Data Protection Officer
Art. 38: DPO qualifications
Art. 39: Tasks of a DPO
Art. 27: Representatives Art. 37: Data Protection Officer
Art. 38: DPO qualifications
Art. 39: Tasks of a DPO
Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object Art. 24(2): Controller - appropriate data protection policies Art. 32(1)(b): Security of Processing - ensure ongoing CIA Art. 35(1): DPIA High risk assessment
released to the public Art. 28(1,3,4 &9): Processors governed by contract
Art. 32(2): Security of Processing - Assessing appropriate Art. 35(11): DPIA - Periodic review of DPIA
level of security
Art. 27: Representatives Art. 37: Data Protection Officer
Art. 38: DPO qualifications
Art. 39: Tasks of a DPO
Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 17(2): Right of Erasure - inform processors, where data Art. 28(3)(e): Processor to assist controller with technical and org. Art. 38(4): DPO as a point of contact to for data subjects.
released to the public measures
Art. 17(3): Exemptions for right to erasure Art. 22: Automated decision making Art. 28(3)(a): Processor processing only on documented instruction Art. 32(4): Security of processing supervision of person Art. 35: DPIA for high risk data processing activities
Art. 18(2): Exception to right to restriction of processing Art. 29: Processing under authority of controller or processor under control of controller
Art. 21: Right to Object Art. 28: Processor obligations Art. 44: Crossborder transfers
Art. 17: Right of Erasure Art. 22: Automated decision making Art. 28(3)(e): Processor to assist controller with technical and Art. 45: Transfers based on adequacy
Art. 18: Right to Restriction of Processing organizational measures Art. 46: Transfers based on appropriate safeguards
Art. 30(1)(d): Records of processing categories of recipients Art. 47: Transfers based on BCRs
Art. 30(1)(e): Records of processing by controller: transfers Art. 48: Transfers not authorized by law
Art. 30(2)(c): Records of processing by processors: transfers Art. 49: Derogation for transfers
Art. 16: Right to rectification Art. 21: Right to Object Art. 28(3)(e): Processor to assist controller with technical and org.
Art. 17: Right of Erasure Art. 22: Automated decision making measures
Art. 18: Right to Restriction of Processing
Art. 20: Right to Data Portability
Art. 25(1): DPbDD Design
Art. 16: Right to rectification Art. 28(3)(e): Processor to assist controller with technical and org.
Art. 17: Right of Erasure measures
Art. 30: Records of Processing Activities
Art. 16: Right to rectification Art. 28(3)(e): Processor to assist controller with technical and org.
Art. 17: Right of Erasure measures
Art. 20: Right to Data Portability
Art. 16: Right to rectification Art. 28(3)(e): Processor to assist controller with technical and org.
measures
Art. 16: Right to rectification Art. 28(3)(e): Processor to assist controller with technical and org.
Art. 17: Right of Erasure measures
Art. 28(3)(a): Processor should process based on documented
instructions
Art. 28(3)(g): Processor obligation to delete data at end of contract
Art. 17(2): Right of Erasure - inform processors, where data Art. 28(3)(e): Processor to assist controller with technical and org. Art. 32(1)(b): Ensure ongoing confidentiality, integrity and
released to the public measures availability.
Art. 20: Right to Data Portability
Art. 28(3)(g): Processor obligation to delete data at end of contract
Art. 30(1)(f): Records of processing- data retention/deletion schedule
Art. 24(1): Responsibilities of Controller Art. 32(1)(b): Ensure ongoing confidentiality, integrity and
Art. 24(2): Controller - appropriate data protection policies availability.
Art. 32(1)(b): Security of Processing - Ensure ongoing CIA
Art. 22: Automated decision making Art. 32(1)(b): Ensure ongoing confidentiality, integrity and
availability.
Art. 32(1)(b): Ensure ongoing confidentiality, integrity and Art. 35: DPIA for high risk data processing activities
availability.
Art. 25(2): DPbDD Default
Art. 25(2): DPbDD Default Art. 32(4): Security of processing supervision of person
Art. 28(3)(a): Processor to process under instructions of controller under control of controller
Art. 28(3)(h): Processor to demonstrate compliance with instructions
Art. 25(2): DPbDD Default
Art. 32(1)(a): Security of Processing - Pseudonymization
Art. 28(3)(e): Processor to assist controller with technical and org.
released to the public measures
Art. 18(3): Right of Restriction, right to be informed before
restriction is lifted
Art. 27: Representatives Art. 37: Data Protection Officer
released to the public Art. 28(3)(e): Processor to assist controller with technical and org. Art. 38: DPO qualifications
Art. 18(3): Right of Restriction, right to be informed before measures Art. 39: Tasks of a DPO
restriction is lifted
Art. 28(3)(e): Processor to assist controller with technical and org.
released to the public measures
Art. 18(3): Right of Restriction, right to be informed before
restriction is lifted
Art. 28(3)(e): Processor to assist controller with technical and org. Art. 35(9): DPIA seek views of data subjects or their
measures representatives
Art. 31: Cooperation with supervisor authorities Art. 36: Prior Consultation
Art. 28(3)(e): Processor to assist controller with technical and org. Art. 32(1)(b): Ensure ongoing Confidentiality, Integrity and
released to the public measures Availability
Art. 18(3): Right of Restriction, right to be informed before
restriction is lifted
Art. 28(3): Processing to be governed by contract Art. 48: Transfers or disclosures not authorized by law
Art. 30(1)(d): Records of processing categories of receipients
Art. 17(2): Right of Erasure - inform processors, where data Art. 21(4): Notification of right to object Art. 28(3)(e): Processor to assist controller with technical and org.
released to the public measures
Art. 19: Notification of obligation of rectification and erasure
Art. 24(1): Responsibility of control to demonstrate compliance Art. 32(2): Security of Processing - Assessing appropriate
Art. 30: Records of processing activities level of security
Art. 28(3): Processor's responsbilities Art. 33: Notification of data breach to supervisory authority
Art. 34: Notification of data breach to data subject
Art. 28(3)(e): Processor to assist controller with technical and org.
measures
Art. 25(2): DPbDD Default
Art. 32(1)(c): Security of Processing - Ability to restore data
Art. 32(1)(b): Security of Processing - Ensure ongoing CIA
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 28(3)(e): Processor to assist controller with technical and org. Art. 32(1)(b): Security of Processing - Ensure ongoing CIA
measures
Art. 33: Notification of data breach to supervisory authority
Art. 34: Notification of data breach to data subject
Art. 32(1)(b): Security of Processing - Ensure ongoing
confidentiality, integrity, availability
Art. 32(1)(c): Security of Processing - Ability to restore data
Art. 28(3)(b): Processor ensures person processing data are governed by
contract or law to the confidentiality of data
Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2)(d): Security of Processing - Assess appropriate
level of security
Art. 32(1)(a): Security of Processing - Pseudonymization
and encryption
Art. 32(1)(a): Security of Processing - Pseudonymization
and encryption
Art. 32(1)(a): Security of Processing - Pseudonymization
and encryption
Art. 28(3)(g): Processor deletion of process at conclusion of contract Art. 32(1)(a): Security of Processing - Pseudonymization
Art. 30(1)(f): Data retention/deletion schedule and encryption
Art. 32(1)(a): Security of Processing - Pseudonymization
and encryption
Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 32(1)(d): Security of Processing - Regular testing of
effectiveness of controls
Art. 32(2): Security of Processing - Assessing appropriate
level of security
Art. 32(1)(b): Security of Processing - Ensure ongoing CIA
Art. 32(1)(a): Security of Processing - Pseudonymization
and encryption
Art. 25(2): DPbDD Default
Art. 32(1)(b): Security of Processing - Ensure ongoing CIA
Art. 32(1)(c): Security of Processing - Ability to restore data