This document is intended to provide users, and particularly the law enforcement agencies within the consortium, with an easy-to-use checklist of all personal data considerations they may have to consider or flag when processing personal data in connection with the RED-Alert project. It is a privacy checklist against which all processing operations are to be measured and assessed.
The list does not purport to be a fully comprehensive solution to all privacy legal issues that may arise throughout the term of the project – and beyond – but is simply a tool that enables issues that may cause concern and require escalation to be flagged at initial stages.
This privacy list is likely to be updated one or more times during the course of the project. The current list is based on the framework set out in EU Regulation 679/2016 – General Data Protection Regulation (‘GDPR’), and the obligations that are set out therein. There are, however, two important disclaimers that need to be set out at this stage:
(i) The GDPR will be brought into force in May, 2018, and although there is a body of experience and practice that has built up to date from the current laws in place in the various EU member states and beyond, the fact remains that it is an untested law, and that once put into effect it may give rise to practices that are different to those currently in place. In this event, this list may need to be amended to some extent or another, in order to apply to that future reality.
(ii) This list uses the GDPR as an objective benchmark, especially given that this is also the ‘gold standard’ by which other privacy laws across the world are typically measured. Different jurisdictions, including those jurisdictions in which the various consortium partners are based, and especially those that are not EU member states, have different (and at times, conflicting) laws and regulations concerning the subject. At the time of writing, a full and detailed analysis into the various jurisdictions in question remains ongoing. Once this review is finalised we expect new and different obligations to come to light and consequently this list may again need to be revised in order to incorporate these additional obligations.
In summary, therefore, this privacy checklist is designed to be a starting point on the basis of which the work of the consortium members may effectively take off. As always in the field of law, in the event of any concerns that may arise along the way, it remains necessary to seek advice on the specific query in hand, and not to plough ahead regardless.
A final word about using the checklist: the list does not (for practical purposes) make any distinction between obligations that arise in the capacity of a controller, and those arising as a processor of personal data [Note: a controller is broadly defined as that person/entity that decides how, why and when personal data is processed, and for which purposes; whilst a processor is a person/entity engaged, directly or indirectly, by the controller to carry out those processing operations, without having any decision-making power in the data process itself]. If, when using the checklist, you determine that a particular obligation may apply to you, regardless of whether you are a controller or a processor, you are advised to flag this either with your own internal legal advisors, or with MITLA.
Read the full deliverable: D5 1 1 – Data Privacy Check-list