This checklist has been created for persons or Companies who hold personal data of natural persons. Personal data includes names, physical addresses, email addresses, phone numbers. The checklist will help you find out what you need to do to make sure you are keeping people’s personal data secure in line with the Data Protection Act, 2019, and the General Data Protection Regulations(GDPR).
We have provided a checklist below to help you determine whether you are a Data Controller or Data Processor.
You are a data controller if either alone or jointly you:-
- Decide what data to collect
- Decide the purpose for collecting and processing personal data
- Decide who to collect data about
- Obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller
- Process the personal data as a result of a contract between you and the data subject
- Process data about your employees
- Make decisions about the individuals concerned as part of or as a result of the processing
- Exercise professional judgment in the processing of the personal data
- Have complete autonomy as to how the personal data is processed
- Have appointed the processors to process the personal data on your behalf
You are a processor if you do any of the following things to personal data under the instructions of someone else:-
- collection, recording, organisation, structuring;
- storage, adaptation or alteration;
- retrieval, consultation or use;
- disclosure by transmission, dissemination, or otherwise making available; or
- alignment or combination, restriction, erasure or destruction.
A processor does not:-
- Decide to collect personal data from individuals.
- Decide what personal data should be collected from individuals.
- Decide the lawful basis for the use of that data.
- Decide what purpose or purposes the data will be used for.
- Decide whether to disclose the data, or to whom.
- Decide how long to retain the data.
- Have an interest in the final result
Data Controller’s Check-list
For natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data
Data Processor’s Check-list
For natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller
Definitions of key terms
“anonymisation” means the removal of personal identifiers from personal data so that the data subject is no longer identifiable
“consent” means any voluntary, specific and informed expression of will of a data subject to process personal data;
“Data Commissioner” means the person appointed under the Data Protection Law;
“data controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data;
“data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
“data subject” means an identified or identifiable natural person who is the subject of personal data;
“identifiable natural person” means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity;
“personal data” means any information relating to an identified or identifiable natural person