GDPR Compliance Evidence

Chapter Section Article Evidence

CHAPTER I General provisions
Article 1 Subject-matter and objectives
Article 2 Material scope
GDPR Gap Assessment Tool
Article 3 Territorial scope
Article 4 Definitions

CHAPTER II Principles
Article 5 - Principles relating to processing of personal data

Article 6 - Lawfulness of processing

Article 7 - Conditions for consent
Article 8 - Conditions applicable to child's consent in relation to Privacy and Personal Data Protection Policy
information society services Records Retention and Protection Policy
Executive Support Letter
Article 9 - Processing of special categories of personal data
Article 10 - Processing of personal data relating to criminal
convictions and offences
Article 11 - Processing which does not require identification

CHAPTER III - Rights of the data subject

Section 1 - Transparency and modalities
Article 12 - Transparent information, communication and
modalities for the exercise of the rights of the data subject
Section 2 - Information and access to personal data
Article 13 - Information to be provided where personal data are Data Subject Request Procedure
collected from the data subject Privacy Notice Procedure
Privacy Notice Planning Forms
Article 14 - Information to be provided where personal data
have not been obtained from the data subject
Article 15 - Right of access by the data subject
Section 3 Rectification and erasure
Article 16 - Right to rectification
Article 17 - Right to erasure ('right to be forgotten')
Article 18 - Right to restriction of processing
Article 19 - Notification obligation regarding rectification or
erasure of personal data or restriction of processing
Article 20 - Right to data portability Data Subject Request Procedure
Data Subject Request Register
Section 4 - Right to object and automated individual decision-making Data Subject Request Forms
Article 21 - Right to object
Article 22 - Automated individual decision-making, including
profiling
Section 5 - Restrictions
Article 23 - Restrictions

CHAPTER IV - Controller and processor

Section 1 - General obligations
Article 24 - Responsibility of the controller
Article 25 - Data protection by design and by default
Article 26 - Joint controllers
Article 27 - Representatives of controllers or processors not Privacy and Personal Data Protection Policy
established in the Union GDPR Communication Programme
Article 28 - Processor
Article 29 - Processing under the authority of the controller or
processor
Article 30 - Records of processing activities Personal Data Asset Inventory
Record of Processing Activities
Article 31 - Cooperation with the supervisory authority Privacy and Personal Data Protection Policy
Section 2 - Security of personal data

07/09/2019 Page 1 of 3 Confidential

Chapter Section Article Evidence
Article 32 - Security of processing Information Security Management System (not included in
the assessment - ex. From ISO 27001)
GDPR Competence Development Procedure
Information Security Awareness Training
Article 33 - Notification of a personal data breach to the Information Security Incident Response Procedure
supervisory authority Personal Data Breach Notification Procedure
Article 34 - Communication of a personal data breach to the Personal Data Breach Register
data subject Personal Data Breach Notification Forms
Section 3 - Data protection impact assessment and prior consultation
Article 35 - Data protection impact assessment
Data Protection Impact Assessment Process
Data Protection Impact Assessment Questionnaires
Data Protection Impact Assessment Reports
Personal Data Mapping Procedure
Article 36 - Prior consultation Personal Data Capture Forms
Personal Data Mapping Diagrams
Personal Data Flow Mapping Tool
Personal Data Asset Inventory
Supplier GDPR Assessment Procedure
Supplier GDPR Assessment Forms

Section 4 - Data protection officer

Article 37 - Designation of the data protection officer
Article 38 - Position of the data protection officer GDPR Roles, Responsibilities and Authorities
Article 39 - Tasks of the data protection officer
Section 5 - Codes of conduct and certification
Article 40 - Codes of conduct
Article 41 - Monitoring of approved codes of conduct
None required
Article 42 - Certification
Article 43 - Certification bodies

CHAPTER V - Transfers of personal data to third countries or international organisations

Article 44 - General principle for transfers
Article 45 - Transfers on the basis of an adequacy decision
Procedure for International Transfers of Personal Data
Article 46 - Transfers subject to appropriate safeguards
Personal Data Flow Mapping Tool
Article 47 - Binding corporate rules Personal Data Capture Forms
Personal Data Mapping Diagrams
Article 48 - Transfers or disclosures not authorised by Union law
Article 49 - Derogations for specific situations
Article 50 - International cooperation for the protection of
personal data None required

CHAPTER VI - Independent supervisory authorities

Section 1 - Independent status
Article 51 - Supervisory authority
Article 52 - Independence
Article 53 - General conditions for the members of the
supervisory authority
Article 54 - Rules on the establishment of the supervisory
authority
None required
Section 2 - Competence, tasks and powers
Article 55 - Competence
Article 56 - Competence of the lead supervisory authority
Article 57 - Tasks
Article 58 - Powers
Article 59 - Activity reports

CHAPTER VII - Cooperation and consistency

Section 1 - Cooperation
Article 60 - Cooperation between the lead supervisory authority
and the other supervisory authorities concerned
Article 61 - Mutual assistance
Article 62 - Joint operations of supervisory authorities
Section 2 - Consistency

07/09/2019 Page 2 of 3 Confidential

None required
Chapter Section Article Evidence
Article 63 - Consistency mechanism
Article 64 - Opinion of the Board
Article 65 - Dispute resolution by the Board
Article 66 - Urgency procedure
Article 67 - Exchange of information
Section 3 - European data protection board None required
Article 68 - European Data Protection Board
Article 69 - Independence
Article 70 - Tasks of the Board
Article 71 - Reports
Article 72 - Procedure
Article 73 - Chair
Article 74 - Tasks of the Chair
Article 75 - Secretariat
Article 76 - Confidentiality

CHAPTER VIII - Remedies, liability and penalties

Article 77 - Right to lodge a complaint with a supervisory
authority
Article 78 - Right to an effective judicial remedy against a
supervisory authority
Article 79 - Right to an effective judicial remedy against a
controller or processor
Article 80 - Representation of data subjects None required
Article 81 - Suspension of proceedings
Article 82 - Right to compensation and liability
Article 83 - General conditions for imposing administrative fines
Article 84 - Penalties

CHAPTER IX - Provisions relating to specific processing situations

Article 85 - Processing and freedom of expression and
information
Article 86 - Processing and public access to official documents
Article 87 - Processing of the national identification number
Article 88 - Processing in the context of employment
Generally none required, but depends on the nature of
Article 89 - Safeguards and derogations relating to processing the organization
for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes
Article 90 - Obligations of secrecy
Article 91 - Existing data protection rules of churches and
religious associations

CHAPTER X - Delegated acts and implementing acts

Article 92 - Exercise of the delegation
None required
Article 93 - Committee procedure

CHAPTER XI - Final provisions

Article 94 - Repeal of Directive 95/46/EC
Article 95 - Relationship with Directive 2002/58/EC
Article 96 - Relationship with previously concluded Agreements
None required
Article 97 - Commission reports
Article 98 - Review of other Union legal acts on data protection
Article 99 - Entry into force and application

07/09/2019 Page 3 of 3 Confidential