Lawful processing flowchart

How are you dealing with personal data?

Flowchart Lawful processing

Explanation of lawful processing flowchart

  1. Data may only be collected for a clearly defined purpose, and the data processing must be indispensable for that purpose.
  2. It is important to describe the justified purposes for which you collect and process personal data.
  3. To claim compatible further processing, a number of factors need to be considered (relationship, nature of data, consequences for the data subject, method of acquisition, appropriate safeguards).
  4. Grounds for exception in the matter of compatibility include:
    State interests (security, economic/financial interests), prevention, detection and prosecution of crimes, monitoring compliance with legal requirements.
  5. Grounds (6): consent, contract, legal obligation, vital interest, public-law duty (public interest), legitimate interest.
  6. No more or less data than necessary may be used.
  7. Special personal data: Religion/beliefs, race/ethnicity, political preferences, health, sexual preferences/practices, membership of an association, personal criminal records, personal data such as restraining orders.
  8. Exceptions provided in articles 17-23 of the Personal Data Protection Act BES (e.g.: churches, hospitals, family guardianship).
  9. Direct marketing involves (directly) contacting customers for either commercial or charitable purposes.
  10. Consider the processing method, as it may not be incompatible with the purpose for which you obtained the data.
  11. If you exchange data with countries outside the Caribbean Netherlands, you must ensure that the receiving organization guarantees an adequate level of protection.
  12. To determine this, you can look at the nature of the data, the purpose(s) of the intended processing, the duration of the intended processing, the general rules that apply in that country and the security measures applied in that country (example: adequacy decision by the European Commission
  13. If you conclude that the exchange of data would not pass the test of an adequate level protection, you can nevertheless exchange data, provided that you obtain explicit permission to do so, in case of a special need for the exchange, or if the transfer is made from a statutory public register, or a permit is provided by the DPA (CBP BES)
  14. Check whether you have grounds and meet the criterion of necessity. If that is the case, then the data processing is lawful.