Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The data in a data store are, in principle, only available to that controller and under the same responsibility. If you pass data on to another organization for other use, you must clearly inform about it and state e.g. the recipient of the transfer and the legal basis.
The processors of personal data (e.g. providers of data systems, other partners using our employee or customer data) and the agreements related to the processing of personal data have been documented. The documentation includes e.g.:
Data processing agreements bind the actions of a personal data processing partner.
It can be important for us to require an important partner to take care of e.g. ensuring the confidentiality requirements for its personnel and restricting the use of other processors of personal data in connection with our data.
The processing agreement binds the actions of the data processor (such as the system vendor).
It can be important for us to ensure an important partner takes responsibility of e.g. access control (logging) and data recovery at the end of the contract according to our preferred policies.