Читать книгу Privacy & Data Protection Practitioner Courseware - English - European Institute of Management and Finance (EIMF) - Страница 28

A company named Alpha Manufacturing Inc. (Alpha) outsources the payroll processing operation of the company’s employees to a company called Beta Cloud Services S.A. (Beta).

Company Alpha has the role of controller, company Beta has the role of processor.

Company Beta is certified according to the latest ISO 27001 (Information Security) standard and has been selected through the procurement process of company Alpha.

The board of directors of company Alpha has requested for a Data Protection Impact Assessment (DPIA) to be performed. The DPIA should be done with regards to outsourcing the processing of personal data (by a newly developed payroll application) to this external service provider, in full compliance with the EU GDPR Regulation. The results have to be reported to the board directly.

A DPIA is required because:

- it concerns application of a new technological solution in a changed organizational set-up.

- the processing of this specific personal data by the external party could have a significant impact on the daily lives and privacy of company Alpha employees

The first two steps of the DPIA have already been executed.

A description of the envisaged processing operations and the purposes of the processing is available. The purpose of the processing has been defined by the board.

The inventory of the payroll personal data and the data flows are available, as well as an overview of the responsibilities for and ownership of these personal data. This inventory was set up by a privacy analyst working at the legal department.