Content library
Processing principles and accountability
Regular self-evaluation of the lawfulness of processing personal data

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Documentation of personal data processing purposes for data stores
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
20
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
30. Records of processing activities
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documentation of personal data processing purposes for data stores
1. Task description

Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.

The documentation shall include at least:

  • the legal basis for the processing and the necessary additional information
  • the parties to whom the processing has been outsourced
  • related data sets
Records of processing activities -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
7
requirements

Examples of other requirements this task affects

30. Records of processing activities
GDPR
A.7.2.8: Records related to processing PII
ISO 27701
TSU-01: Käsiteltävien henkilötietojen tunnistaminen
Julkri
TSU-21: Seloste käsittelytoimista
Julkri
61: Seloste käsittelytoiminnasta
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Records of processing activities -report publishing and maintenance
1. Task description

Records of processing activities is a written description of the processing of personal data by the organization.

This report is mandatory if any of the following occurs:

  • the organization has more than 250 employees
  • the processing of personal data is not incidental
  • the processing of personal data is likely to pose a risk to the data subject's rights and freedoms
  • the personal data processed contain special categories of data or personal data relating to criminal convictions and offenses

Records must be kept up to date. They also serve as a first-level way of assessing the lawfulness of processing, so it must be provided to the supervisory authority on request.

In Cyberday, records of processing activities is an own report, which is automatically gathered from the data on documentation sections.

Personnel guidelines for safe processing of personal and confidential data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
29
requirements

Examples of other requirements this task affects

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
11.2.8: Unattended user equipment
ISO 27001
11.2.9: Clear desk and clear screen policy
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Personnel guidelines for safe processing of personal and confidential data
1. Task description

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

Data store listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
42
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
6. Lawfulness of processing
GDPR
8.1.1: Inventory of assets
ISO 27001
5 §: Tiedonhallintamalli ja muutosvaikutuksen arviointi
TiHL
6.7: Asiakas- ja potilastietojärjestelmät, niihin liitetyt tietojärjestelmät ja muut tietojärjestelmät
Omavalvontasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Data store listing and owner assignment
1. Task description

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

  • Connected responsibilities
  • Data processing purposes (covered in a separate task)
  • Data sets included in the data store (covered in a separate task)
  • Data disclosures (covered in a separate task)
  • When necessary, data stores connections to action processes
Collection and documentation of explicit consents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

P3.2: Additional measures when processing requires explicit consent
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Collection and documentation of explicit consents
1. Task description

The organization has identified the purposes of use of personal data where explicit consent is required as the legal basis for processing. In addition, the organization has defined methods for documenting the explicit consents received.

Explicity refers to the unequivocal way in which the data subject expresses his consent. Such consent can be given e.g. by traditional signature of the statement, electronic signature or acknowledgment after two-step identification.

Situations requiring specific identification may include e.g.

  • Special personal data (e.g. health data) processing
  • Data transferred to third countries (when other transfer criteria according to the GDPR cannot be met)
  • Automatic decision-making or profiling
Informing of infringing processing instructions
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.4: Infringing instruction
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Informing of infringing processing instructions
1. Task description

It is the responsibility of the organization to notify the customer if the processing instructions seem to violate laws or official requirements.

Restriction of processing for personal data processed on behalf of a customer
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.2: Organization's purposes
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Restriction of processing for personal data processed on behalf of a customer
1. Task description

When an organization offers e.g. digital services to its customer, the contract between the organization and the customer must specify e.g. the goal of the service and the schedule related to its delivery.

The organization must ensure that personal data processed on behalf of the customer is processed only for the purposes stated in the customer's written instructions.

The customer must also be offered the opportunity to verify the organization's operation in relation to the instructions. This ensures that the organization and its subcontractors process personal data only for the purposes indicated by the customer.

Limiting marketing and advertising use of personal data processed under a contract
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.8.2.3: Marketing and advertising use
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Limiting marketing and advertising use of personal data processed under a contract
1. Task description

The organization should ensure that personal data processed on a contractual basis is not used for marketing or advertising unless there is prior consent from the data subject.

Consent to marketing and advertising cannot be used as a condition for receiving the service.

Consent condition review
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

A.7.2.4: Obtain and record consent
ISO 27701
P2.1: Communication of choices about personal information to data subjects
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Consent condition review
1. Task description

The organization must regularly review its way of collecting consent from data subjects to ensure that the consent is unambiguous and precise.

Process for safe destruction of temporary files and data from data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

A.5: Data minimization
ISO 27018
A.5.1: Secure erasure of temporary files
ISO 27018
A.8.4.1: Temprorary files
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Process for safe destruction of temporary files and data from data systems
1. Task description

Each data system can create temporary files during its normal operations. These can include e.g. roll-back journals or temporary files associated with updates.

Organisation should have documented a certain time period and process, how temporary files and documents must be destroyed. Organisation should also define procedures for recognizing relevant files that are temporary and not used for any operation by the data system anymore.

Data systems used for processing personal data should have a periodic reviewing process to identify unused temporary data for destruction.

Getting a proper consent for potential commercial utilization purposes of customer-owned data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.3.2: Public cloud PII processor's commercial use
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Getting a proper consent for potential commercial utilization purposes of customer-owned data
1. Task description

Personal data processed under a contract, e.g. when offering a cloud service for a customer, are not to be used for marketing or advertising purposes without a clear consent from the customer that controls the data.

This consent can’t be e.g. demanded as a prerequisite for being able to utilize the offered cloud service.

This requirement is in line with general personal data processing requirements, where all personal data processing must have a clear legal basis. Potential processing must be documented normally.

Purpose limitation of processed, customer-owned data in offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

A.3.1: Public cloud PII processor’s purpose
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Purpose limitation of processed, customer-owned data in offered cloud services
1. Task description

Personal data in offered cloud services that is processed under a contract can not be processed for any other purpose or differently from customers instructions.

Customer instructions for the data processor can be contained in the contract between the cloud service provider and customer including, e.g. the objective and probable time frame of the service.

Documentation of conditions of consent for relevant processing purposes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
8
requirements

Examples of other requirements this task affects

7. Conditions for consent
GDPR
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.2.3: Determine when and how consent is to be obtained
ISO 27701
A.7.2.4: Obtain and record consent
ISO 27701
A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documentation of conditions of consent for relevant processing purposes
1. Task description

If our organization processes personal data based on the consent of the data subject, we must ensure that the conditions for consent are met. The conditions for lawful consent are:

  • The controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data
  • The request for consent must be clearly separated from other matters in an easily comprehensible form
  • The data subject may withdraw her consent at any time and has been instructed to do so before giving her consent
  • Withdrawal of consent must be as easy as giving it

The Data Protection Officer may be responsible for assessing the conditions of consent. It is also important to consider, whether consent is generally appropriate as a legal basis for the corresponding processing.

Implementation and documentation of balance tests
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
5
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
21. Right to object
GDPR
18.1.4: Privacy and protection of personally identifiable information
ISO 27001
TSU-07: Käsittelyn lainmukaisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Implementation and documentation of balance tests
1. Task description

One of the legal grounds for lawful processing of personal data is the implementation of the data controller or a third party's legitimate interests. To determine when a legitimate interest is justified, a so-called balance test is done to weigh controller or a third party interest against the basic rights of the data subject.

When our processing based on a legitimate interest, we document the implementation of the balancing test and its results so that, if necessary, we can demonstrate that our operations comply with GDPR.

Defining and documenting retention times for data sets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
16
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
18.1.3: Protection of records
ISO 27001
21 §: Tietoaineistojen säilytystarpeen määrittäminen
TiHL
PR.IP-6: Data destruction
NIST
A.7.4.2: Limit processing
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting retention times for data sets
1. Task description

Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

  • the necessity of the data for its original processing purpose
  • implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
  • the legal effect of the contract or other legal action in civil matters
  • statutory limitation periods
  • criminal limitation periods

Describe your own process for evaluating retention periods.

Executing and documenting data protection impact assessments
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
9
requirements

Examples of other requirements this task affects

35. Data protection impact assessment
GDPR
36. Prior consultation
GDPR
A.7.2.5: Privacy impact assessment
ISO 27701
TSU-16: Tietosuojariskien hallinta
Julkri
TSU-17 : Tietosuojan vaikutustenarviointi
Julkri
See all related requirements and other information from tasks own page.
Go to >
Executing and documenting data protection impact assessments
1. Task description

The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.

Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.

Identifying and complying with additional requirements related to automated decision-making
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

A.7.3.10: Automated decision making
ISO 27701
TSU-20: Automatisoidut yksittäispäätökset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Identifying and complying with additional requirements related to automated decision-making
1. Task description

The organization should identify the statutory obligations concerning data subjects in relation to decisions concerning data subjects that are based on automated processing (e.g. notifying the data subject of automated decision-making) and ensure that these requirements are met in its own operations.

Processing of a child's personal data in connection with the provision of information society services based on consent
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
1
requirements

Examples of other requirements this task affects

8. Conditions applicable to child's consent in relation to information society services
GDPR
See all related requirements and other information from tasks own page.
Go to >
Processing of a child's personal data in connection with the provision of information society services based on consent
1. Task description

If our organization provides information society services directly to a child, it is legal to process personal data on the basis of consent if the child is at least 16 years old.

If the child is under the age of 16, such processing is lawful only if and to the extent that the child's parent has given his or her consent or authorization.

Our organization has defined the relevant situations and the procedures to be applied to ensure that consent is obtained from the child's parents, if necessary.

Processing of personal data related to criminal convictions and offenses
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
3
requirements

Examples of other requirements this task affects

10. Processing of personal data relating to criminal convictions and offences
GDPR
TSU-01.1: Käsiteltävien henkilötietojen tunnistaminen - Erityiset henkilötietoryhmät tai rikostuomioihin ja rikoksiin liittyvät tiedot
Julkri
TSU-07.4: Käsittelyn lainmukaisuus - Rikostuomioihin ja rikoksiin liittyvät henkilötiedot
Julkri
See all related requirements and other information from tasks own page.
Go to >
Processing of personal data related to criminal convictions and offenses
1. Task description

We know whether the processing of personal data involves information related to criminal convictions and violations.

If we process personal data relating to criminal convictions and offenses, we carry out the processing either under the supervision of an authority or the processing must be permitted by Union law / Member State law where appropriate safeguards are in place to protect the data subject's rights and freedoms.

Regular self-evaluation of the lawfulness of processing personal data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
5
requirements

Examples of other requirements this task affects

6. Lawfulness of processing
GDPR
9. Processing of special categories of personal data
GDPR
TSU-07: Käsittelyn lainmukaisuus
Julkri
TSU-07.3: Käsittelyn lainmukaisuus - Erityiset henkilötietoryhmät
Julkri
See all related requirements and other information from tasks own page.
Go to >
Regular self-evaluation of the lawfulness of processing personal data
1. Task description

GDPR defines six main legal bases for the lawful processing of personal data. In addition, more strict requirements apply to processing of special groups of personal data. The legal basis must also be communicated to the data subjects in privacy communication. However, not all legal bases adapt to all situations and the application of certain legal bases imposes additional requirements on the controller.

The Data Protection Officer (or other responsible person) helps to develop the lawfulness of the processing by assessing the legal bases for the different purposes in cooperation with the units carrying out the processing and on the basis of data protection communications.

Privacy-related codes of conduct and certification
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
2
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
TSU-15: Osoitusvelvollisuus
Julkri
See all related requirements and other information from tasks own page.
Go to >
Privacy-related codes of conduct and certification
1. Task description

GDPR encourages the introduction of a number of general codes of conduct and certification mechanisms, data protection shields and marks, especially at the European Union level.

The idea behind all of these is to show that the processing is in line with good data processing and data protection requirements. The European Data Protection Council will gather all available certification mechanisms publicly available.

Data privacy statement process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
0
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Data privacy statement process
1. Task description

A yearly privacy statement is a voluntary report drawn up by the organization that gives an overall picture of the current status of the organization's personal data processing. The report is intended as a management tool to increase stakeholder confidence that the organization adheres to a good regulatory approach to personal data processing.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.