Bookkeeping offices, namely, legal and natural persons who provide bookkeeping services to their depositors in terms of the protection of personal data under the GDPR shall be considered to be processors.
Therefore, they have the obligation to:
Records of processing activities is a form that serves as evidence that the processing of personal data is lawful. AZOP points out that the data contained in the processing records should be adequately protected, such as: a centralized database, the introduction of authorization and access control measures. The records must contain the following details:
-
Name and contact details of the processor (for example: Name, address, residence, etc.)
-
Purpose of processig (explained in detail)
-
Description of the category of data subject (for example: Information concerning employees, patient data) and categories of personal data (for example: Name, surname, address etc.)
-
Categories of recipients (including those in third countries or international organisations)
-
Recipient categories (including those in third countries or international organizations ) for the deletion of different categories of data (including those in third countries or international organizations),
-
A description of the technical and organizational measures for the protection of personal data must be made in written and electronic form and made available to the supervisory authority.
-
Keep records of processing activities for the categories of personal data of their respondents;
The records must contain in detail the following information:
-
Name and contact details of each controller on whose behalf the processor acts as the controller's representative;
-
Data protection officer;
-
Information on the transfer of personal data to a third country;
-
Information on the transfer of personal data to a third country or international organisation, including identification of that third country or international organisation, and, in case of a transfer of documents concerning adequate personal data;
- A description of the technical and organisational security measures containing information on:
-The pseudonymisation and encryption of personal data;
- Ability to re-establish the availability of personal data in a timely manner in case of a physical or technical incident;
-The process for the regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the safety of the processing;
3. Establish a clear policy concerning the handling personal data;
In order to achieve the legality and transparency of the processing of personal data and to provide information relating to the processing of personal data and thus to exercise the rights of the data respondent: right of access to data, right to rectification of inaccurate data, the right to erasure of data, the right to data portability and the right to object to the processing of personal data, the right to data portability and the right to object to the processing of personal data should explain in detail what types of personal data, i.e. who use personal data, and which safeguards concerning personal data are being taken.
Example of Clear Policy elements: Privacy policy / rules, policy / rules of handling and traceability of personal data, risk assessment of personal data processing, confidentiality statements and other data.
Taking and implementing adequate technical and organisational security measures in order to ensure the security and confidentiality of the processing of personal data or the prevention of unauthorised access or unauthorised disposal of personal data as well as the technical equipment used by controllers and processors. This ensures that personal data are not available to persons who are not authorised to process them. At the time of determining the means of processing and at the time of processing itself, each controller shall specify, depending on the nature / nature, extent and purpose of the processing of personal data, the protection measures guaranteeing the safe, fair and lawful processing of personal data and the effective application of the data protection principle (in particular taking into account the necessity of data processing for each specific purpose, the determination of data retention periods, their availability etc., as poited out by AZOP instructions.
Example of technical measures: Use of passwords, anti-virus protection, encryption, secure personal data so that they cannot be read, copied, modified or deleted e.g. sending encrypted e-mail and other encrypted e-mail lists.