PDF PDPF Study Guide

When there is a processor and an operator in EEA countries, the competent authority will be the location of the Controller, however the Supervisory authority of the Controller is considered to be a concerned Supervisory Authority (who has interests).

Therefore, the Processor Supervisory Authority evaluates and approves the rules of the contract, in accordance with Article 57 of the GDPR, and must notify the Controller Supervisory Authority.

In its Article 57, the GDPR legislates on the Responsibilities of the Supervisory Authority. In its first paragraph, items “r” and “s”:

r)Authorise contractual clauses and provisions referred to in Article 46(3);

s)Approve binding corporate rules pursuant to Article 47.

In its Article 5, which deals with the Principles relating to the processing of personal data, paragraph 1, the GDPR describes:

1. Personal data shall be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

(«data minimisation»);

Article 5 mentions all GDPR principles for processing personal data.

The data minimization principle refers to the purpose of the law that only the data that is required for processing should be collected.

This is also favorable to businesses. The less data is collected, the less likely violations are to occur and consequently the impacts also decrease.

The GDPR has 173 recitals. The Recitals introduce a better understanding of the law and its articles. The Articles, which are 99 in total, contain the mandatory requirements of the law.