Introduction
This checklist provides guidance to in-house counsel and risk and compliance teams, or private practitioners assisting their clients, on auditing an organisation’s compliance with Regulation (EU) 2016/679 – General Data Protection Regulation 2016/679 (EU GDPR).
The checklist is EU-focused and covers:
- the general requirements under the EU GDPR; and
- the European Data Protection Board (EDPB) and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.
This checklist does not address UK-specific data protection law requirements. However, it should be noted that the UK retained the EU GDPR in domestic law following Brexit (commonly referred to as the ‘UK GDPR’), with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (ICO)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist when providing a helpful overview of the subject matter in this guide.
The checklist follows the structure of the EU GDPR and addresses the following areas:
- Principles and lawful processing
- Data subject rights
- Controller and processor
- Security and personal data breaches
- Data protection impact assessments and prior consultation
- Data protection officer
- Codes of conduct and certifications
- International data transfers
It aligns with How-to guide: How to ensure compliance with the GDPR and covers the organisation’s processing activities in respect of customer and user data, and internal employee data. At the end of the document there are explanatory notes corresponding to the relevant step in the checklist.
The checklist focuses on mandatory/key issues and there may be additional measures that an organisation should take as a matter of good practice.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: Lawful processing of personal data under the GDPR.
The checklist provides a methodology for auditing an organisation’s compliance with the key requirements under the EU GDPR. It:
- suggests documents and other aspects to check when making your assessment; and
- indicates whether the requirement applies to controllers or processors, or both.
The print version allows you to indicate whether the organisation complies with the relevant requirement; and includes space to note any follow-up actions that may be required. To download the print version of this document, click on the 'Download' icon on the top right-hand side of this window.
Step 1 – Principles and lawful processing
| No. | Requirement | What to check | Controller / Processor responsible? |
| 1.1 | The data protection principles are met when processing personal data |
| Controller |
| 1.2 | Accountability and data protection governance measures are in place. In particular, the organisation has:
|
| Controller |
| 1.3 | Each processing activity has a valid lawful basis (eg, valid consents) |
| Controller |
| 1.4 | All special category data processing meets a relevant exemption |
| Controller |
| 1.5 | All criminal data processing meets the relevant conditions |
| Controller |
| 1.6 | De-identified/anonymous data is used wherever possible |
| Controller |
Step 2 – Data subject rights
| No. | Requirement | What to check | Controller / Processor responsible? |
| 2.1 | Required privacy information is given to individuals whose data is processed (transparency) |
| Controller |
| 2.2 | The right of access to data is provided |
| Controller |
| 2.3 | The right of rectification/correction is provided |
| Controller |
| 2.4 | The right to erasure/to be forgotten is provided (where applicable) |
| Controller |
| 2.5 | The right to restriction of processing is provided (where applicable) |
| Controller |
| 2.6 | There is a process for communicating rectification, erasure and restriction requests to third parties that hold relevant data |
| Controller |
| 2.7 | The right to data portability is provided (where applicable) |
| Controller |
| 2.8 | The right to object (including to direct marketing) is provided (where applicable) |
| Controller |
| 2.9 | Rights are provided in relation to solely automated decision-making, including profiling (where applicable) |
| Controller |
| 2.10 | When acting as a processor for another organisation, technical and organisational measures are in place to support data subject rights |
| Processor |
Step 3 – Controller and processor
| No. | Requirement | What to check | Controller / Processor responsible? |
| 3.1 | Appropriate technical and organisational measures are in place for ensuring EU GDPR-compliant processing | Organisational measures:
Technical measures:
| Controller |
| 3.2 | Data protection by design and default principles are implemented |
| Controller |
| 3.3 | Joint controller arrangements are properly documented |
| Controller |
| 3.4 | Representatives are appointed where necessary (ie, where the controller and/or processor are not established in the European Economic Area but are nonetheless identified as being within the territorial scope of the EU GDPR by reason of article 3(2)) |
| Controller Processor |
| 3.5 | Pre-contract due diligence is done on all processors (sufficient guarantees) |
| Controller |
| 3.6 | Mandatory contract terms are in place for all controller/processor arrangements |
| Controller Processor |
| 3.7 | When acting as a processor for another organisation, personal data is processed only on the controller’s instructions |
| Processor |
| 3.8 | Records of processing are maintained (unless exempt) |
| Controller Processor |
| 3.9 | The organisation cooperates with the appropriate supervisory authority and, where the context requires, additional data protection supervisory authorities/regulators |
| Controller Processor |
Step 4 – Security and personal data breaches
| No. | Requirement | What to check | Controller / Processor responsible? |
| 4.1 | Appropriate technical and organisational security measures are in place |
| Controller Processor |
| 4.2 | There are no unresolved personal data breaches, and preventative measures are in place against recurrent breaches |
| Controller Processor |
| 4.3 | There is a process for notifying personal data breaches to the appropriate supervisory authority and, where the context requires, additional data protection supervisory authorities/regulators |
| Controller |
| 4.4 | There is a process for notifying personal data breaches to the controller when acting as a processor for another organisation |
| Processor |
| 4.5 | There is a process for communicating personal data breaches to affected individuals |
| Controller |
| 4.6 | There is a process for assisting the controller with notifying breaches to regulators and affected individuals when acting as a processor for another organisation |
| Processor |
Step 5 – Data protection impact assessments and prior consultation
| No. | Requirement | What to check | Controller / Processor responsible? |
| 5.1 | Data protection impact assessments (DPIAs) are conducted for all high-risk processing activities |
| Controller |
| 5.2 | When acting as a processor for another organisation, support is given with DPIAs |
| Processor |
| 5.3 | The appropriate data protection supervisory authority and, where the context requires, additional supervisory authorities/regulators are consulted before data processing commences (where required) |
| Controller |
| 5.4 | When acting as a processor for another organisation, support is given with prior consultations |
| Processor |
Step 6 – Data protection officer
| No. | Requirement | What to check | Controller / Processor responsible? |
| 6.1 | A data protection officer (DPO) is duly appointed (where required) |
| Controller and processor |
Step 7 – Codes of conduct and certifications
| No. | Requirement | What to check | Controller / Processor responsible? |
| 7.1 | All codes of conduct applicable to or signed up to by the organisation are adhered to Note: Codes of Conduct, under the EU GDPR, are voluntary sets of rules that assist members of that code with data protection compliance and accountability in specific sectors or relating to particular processing operations. Codes of conduct can either be ‘national codes’ (which cover processing activities in a particular jurisdiction) or ‘transnational codes’ (which cover processing activities in more than one member state). The EDPB and supervisory authorities encourage the creation of codes of conduct by actively engaging with sectors to encourage development and uptake of codes of conduct where the sector would benefit. |
| Controller and processor |
| 7.2 | All certifications signed up to by the organisation are adhered to |
| Controller and processor |
Step 8 – International data transfers
| No. | Requirement | What to check | Controller / Processor responsible? |
| 8.1 | Approved transfer mechanisms are used for all international data transfers (unless there is an adequacy decision) |
| Controller and processor |
Explanatory notes
Legal framework
The checklist covers the requirements under:
- the EU GDPR; and
- various EDPB (formerly the Article 29 Working Party) guidelines.
Notes on specific requirements
Step 1 – Principles and lawful processing
1.1 Data protection principles
The data protection principles for controllers processing personal data are outlined in article 5, EU GDPR. These are:
- lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- accuracy;
- storage limitation; and
- integrity and confidentiality.
The controller must also be able to demonstrate ‘accountability’ – see explanatory note 1.2.
1.2 Accountability and data protection governance
The controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles (see explanatory note 1.1). This is known as ‘accountability’. The best way to do this is to be able to point to an established data protection governance framework, underpinned by effective policies, procedures and management structures.
1.3 Lawful bases
The controller must ensure that each processing activity has a valid lawful basis under article 6, EU GDPR.
Article 7, EU GDPR sets out further conditions applicable to consent. Article 8, EU GDPR sets out conditions concerning children’s consent for online services. Ireland’s supervisory authority, the Data Protection Commission (DPC), has published, in its Fundamentals for a child-orientated approach to data processing, child-specific data protection interpretative principles and recommended measures with respect to the personal data of children.
For further guidance, see Checklist: Lawful processing of personal data under the GDPR.
1.4 Special category data
‘Special categories of personal data’, under article 9, EU GDPR, means processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
This type of more sensitive data is given special protection under the EU GDPR and cannot be processed unless a relevant exemption under article 9, EU GDPR is met.
1.5 Criminal data processing
‘Criminal data’ describes ‘criminal convictions and offences or related security measures based on article 6(1)’ (article 10, EU GDPR). Processing of criminal data must only be carried out under the control of an official authority or where authorised under laws that provide for appropriate safeguards for individuals’ rights and freedoms. A comprehensive register of criminal convictions can only be kept under the control of an official authority.
1.6 De-identified anonymous data
Under article 11, EU GDPR, if the purposes for which a controller is processing personal data no longer require them to identify an individual, the controller need no longer process that information in an identifiable format if their only reason for doing so is to comply with the EU GDPR. In those circumstances, the controller need not give effect to certain data subject rights (under articles 15 to 20, EU GDPR) unless the data subjects provide additional information allowing themselves to be identified.
Step 2 – Data subject rights
2.1 Privacy information/transparency
To fulfil the controller’s ‘transparency’ obligations, the information outlined in articles 13 and 14, EU GDPR must be provided to individuals whose data is processed.
2.2 Right of access
Under article 15, EU GDPR, if an individual requests access to their data being processed by the controller, the controller must confirm whether it is processing their personal data and, if so, provide access to a copy of the data and certain information about the data and how this is used. The request must be responded to within tight time frames (usually one month).
2.3 Right of rectification/correction
Under article 16, EU GDPR, if an individual requests rectification (correction) of their personal data, the controller must action this request without undue delay. The request must be responded to within tight time frames (usually one month).
2.4 Right to erasure/to be forgotten
Under article 17, EU GDPR, if an individual requests erasure of their personal data, the controller must do so without undue delay if one of certain specified grounds (eg, the data has been unlawfully processed) has been met. The request must be responded to within tight time frames (usually one month).
2.5 Right to restriction of processing
Under article 18, EU GDPR, if an individual requests restriction of processing of their personal data, the controller must action this request if one of certain specified grounds applies. The request must be responded to within tight time frames (usually one month).
2.6 Communication of requests to third parties
Article 19, EU GDPR, requires the controller to implement a process for communicating rectification, erasure and restriction requests to third parties that hold relevant data, unless a specified exception applies.
2.7. Right to data portability
Under article 20, EU GDPR, an individual may have a right to receive their personal data in a structured, commonly used and machine-readable format or to have that data transmitted to another controller (where technically feasible). This right only applies in limited specified circumstances. The request must be responded to within tight time frames (usually one month).
2.8 Right to object
Under article 21, EU GDPR, an individual has a right to object on certain grounds to the processing of personal data for the performance of a task in the public interest or in the exercise of official authority or for ‘legitimate interests’ (article 6(1)(e) or (f), EU GDPR). If the individual objects to processing for direct marketing purposes, the processing must stop (including any related profiling) (article 21(2), EU GDPR). Otherwise, the processing can continue only if the controller can demonstrate that it can meet a balancing test (article 21(1), EU GDPR). The request must be responded to within tight time frames (usually one month).
Since the EU GDPR has been in effect, its relationship with Regulation (EU) 2002/58 –ePrivacy Directive has been topical, particularly in the areas of direct marketing and website cookies where these laws are found to overlap. The EU GDPR is intended to be technology-neutral and cover all forms of personal data. On the other hand, the ePrivacy Directive only applies in limited (electronic communication) circumstances.
In 2019, the EDPB issued Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities. In that opinion, it was clarified that when both the EU GDPR and ePrivacy Directive apply to the same processing operation and impose conflicting requirements, the specific requirements of the ePrivacy Directive will take precedence over general obligations of the EU GDPR.
Taking direct marketing as an example, under recital 47, EU GDPR ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. However, according to article 13, ePrivacy Directive, as a general rule, consent needs to be obtained from data subjects in cases of direct marketing. Therefore, when direct marketing communications are delivered through public communication networks and meet other ePrivacy Directive applicability criteria, provisions of the ePrivacy Directive will take precedence, and the data controller will have to obtain the data subject consent for direct marketing. In other cases (eg, direct marketing communications via post), the general rules of the GDPR will apply.
2.9 Automated decision-making, including profiling
Under article 22, EU GDPR, individuals have the right not to be subject to decisions based on solely automated decision-making, including profiling, which produce legal or similarly significant effects for the individual. There are exceptions to this linked to the lawful basis that underpins the decision. If such processing is permitted, certain additional safeguards need to be put in place to protect individuals’ rights. There are even stricter controls on making solely automated decisions in respect of special category personal data.
2.10. Technical and organisational measures by processors to support data subject rights (DSRs)
When acting as a processor on behalf of a controller organisation, you are required to implement technical and organisational measures to support the controller in meeting its obligations to respond to DSRs (article 28(3)(e), EU GDPR).
Step 3 – Controller and processor
3.1. Technical and organisational measures for compliance with the EU GDPR
The controller must implement and maintain appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed in accordance with the EU GDPR (article 24(1), EU GDPR). This may include the controller putting in place appropriate data protection policies, in addition to systems and technical controls around personal data.
3.2 Data protection by design and default
Under article 25(1), EU GDPR, the controller must implement appropriate technical and organisational measures (such as pseudonymisation), which are designed to implement data protection principles (such as data minimisation) effectively both:
- at the time of determining the means for processing: and
- at the time of the processing itself.
The necessary safeguards need to be integrated into the processing to comply with the EU GDPR and to protect individuals’ rights. Certain specific considerations need to be taken into account in this ‘data protection by design’.
The controller must also implement appropriate technical and organisational measures for ensuring that, by default, only personal data that is necessary for each specific purpose of the processing is processed. This so-called ‘data protection by default’ applies to the volume of personal data collected, the extent of the processing of that data, its storage period and its accessibility.
The European Commission plans to establish a code of conduct to better protect children in the digital age. This code of conduct would not be the first of its kind. The UK’s supervisory authority, the ICO, has introduced a suite of documents on the treatment of children's personal data. In respect of oversight in the European Union, Ireland’s DPC guideline document Fundamentals for a child-orientated approach to data Processing, referenced in step 1.3 above, is intended (after being embraced by the EDPB) to serve as the EU’s blueprint when developing its code of conduct.
3.3 Joint controller arrangements
Under article 26, EU GDPR, arrangements between joint controllers need to be determined transparently and properly documented, in particular as regards exercising rights of data subjects and provision of privacy information. The essence of the relationship needs to be made available to data subjects.
3.4 Representatives
Under article 27, EU GDPR, controllers and processors not established in the European Economic Area (EEA) but otherwise caught within the territorial scope provisions of the EU GDPR (ie, under article 3(2)) will need to appoint an EEA representative. There are exemptions for occasional, low-risk processing. Public authorities or bodies do not need to appoint a representative.
3.5 Pre-contract due diligence on processors
Article 28(1), EU GDPR requires that controllers only appoint processors that give ‘sufficient guarantees’ to implement appropriate technical and organisational measures to ensure that processing will comply with the EU GDPR and that data subject rights are protected. In practice, this means carrying out pre-contract due diligence on such processors.
3.6 Processor contracts
Article 28, EU GDPR imposes certain requirements on the appointment of processors to process personal data on behalf of controllers. There are also mandatory terms that need to be included in all processor contracts (article 28(3)).
3.7 Controller’s instructions
A processor or anyone under the authority of the controller or of the processor, who has access to personal data, must not deviate from the processing instructions given by the controller, unless applicable EU or member state law requires them to do otherwise (article 29, EU GDPR).
3.8 Records of processing
The controller and the processor must maintain records of processing containing certain mandatory information (article 30(1) and (2), EU GDPR). Some smaller organisations that only carry out lower-risk processing are exempt (article 30(5), EU GDPR).
3.9 Cooperation with data protection regulators
Article 31, EU GDPR requires the controller and the processor, and their representatives, to cooperate on the request of the data protection regulator (or supervisory authority) in the performance of its tasks.
Step 4 – Security and personal data breaches
4.1 Technical and organisational security measures
Article 32, EU GDPR sets out the requirements in relation to security that apply to controllers and processors. In particular, the organisation must implement appropriate technical and organisational measures in relation to personal data to ensure a level of security appropriate to the risk.
4.2 Unresolved personal data breaches
A ‘personal data breach’ is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (article 4(12), EU GDPR). Check that there are no unresolved personal data breaches and ensure that preventative measures are in place to guard against breaches recurring.
Article 33(5), EU GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken.
4.3 Reporting personal data breaches
See explanatory notes at 4.2 for the definition of ‘personal data breach’.
The controller must ‘without undue delay and, where feasible, not later than 72 hours after having become aware of a personal data breach’, notify the relevant supervisory authority or, where the context requires, other relevant data protection supervisory authority/regulator of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals (article 33(1), EU GDPR). Certain information must be included in the notification (article 33(1), (3) and (4), EU GDPR).
Article 33(5), EU GDPR requires the controller to document any personal data breaches, including the relevant facts, its effects and the remedial action taken.
4.4 Notifying breaches to controller when acting as a processor
The processor has to notify the controller ‘without undue delay after becoming aware of a personal data breach’ (article 33(2), EU GDPR).
4.5 Communicating personal data breaches to affected individuals
When a personal data breach is likely to result in a ‘high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay’ (article 34(1), EU GDPR).
The communication needs to be clear and disclose certain prescribed information and measures (article 34(2), EU GDPR). There are certain limited exceptions when such communication is not necessary (article 34(3), EU GDPR).
4.6 Assisting the controller with notifying breaches to regulators and affected individuals when acting as a processor
Article 28(3)(f), EU GDPR requires processors to assist controllers with notifying data breaches to data protection regulators and affected individuals.
Step 5 – Data protection impact assessments and prior consultation
5.1 DPIAs for high-risk processing
The controller must carry out a data protection impact assessment (DPIA) in advance of starting processing where ‘a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons’ (article 35(1), EU GDPR). The EU GDPR lists certain types of processing requiring a DPIA.
The Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) (which have been endorsed by the EDPB) list criteria that may indicate probable high-risk processing. DPIA Guidance published by Ireland’s DPC also gives further context on situations where processing is likely to be high-risk and requires a DPIA.
5.2 Processors supporting DPIAs
Processors must assist controllers in ensuring compliance with the controller’s obligations in relation to DPIAs (article 28(3)(f), EU GDPR).
5.3 Prior consultation
Where a DPIA is carried out and ‘indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk’, the controller must consult with the relevant data protection regulator(s) before data processing commences (article 36(1), EU GDPR). A detailed consultation process follows where the regulator decides whether the intended processing would infringe the EU GDPR, in particular where the controller has insufficiently identified or mitigated the risk (article 36(2) and (3), EU GDPR).
5.4 Processors supporting prior consultations
Processors must assist controllers in ensuring compliance with the controller’s obligations relating to prior consultations (article 28(3)(f), EU GDPR).
Step 6 – Data protection officer
6.1 Appointment of a DPO (where required)
Organisations meeting the specified criteria in article 37, EU GDPR must appoint a data protection officer (DPO). Where a statutory DPO is appointed, their appointment must fulfil the requirements in article 38, EU GDPR and they must fulfil the tasks listed in article 39, EU GDPR. The relevant data protection regulator(s) must be notified of the appointment and the details of the relevant regulator(s) must be included in privacy notices.
Step 7 – Codes of conduct and certifications
7.1 Codes of conduct
Under article 40, EU GDPR, relevant data protection regulators and EU bodies encourage the drawing up of codes of conduct to contribute to the proper application of the EU GDPR, taking account of the specific features of the various processing sectors and the needs of micro, small and medium-sized enterprises.
To date, a limited number of codes of conduct have been approved.
7.2 Certifications
Under article 41, EU GDPR, relevant data protection regulators and EU bodies encourage the establishment of data protection certification mechanisms and data protection seals and marks, to demonstrate compliance with the EU GDPR of processing operations by controllers and processors.
During 2022, the EDPB adopted an opinion on the approval of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This was the first such certification approved by the EDPB. Under the certification scheme, Europrivacy enables organisations to assess and certify the compliance of their data processing with the EU GDPR and complementary national data protection laws.
Step 8 – International data transfers
8.1 Approved transfer mechanisms
All countries located within the EEA (ie, EU members states, Iceland, Liechtenstein and Norway) are subject to the EU GDPR. By reason of having comparable standards of data protection, cross-border transfers between these countries can take place without restriction.
Generally speaking, transfers of personal data by a controller or processor to a country located outside of the EEA (a ‘third country’) or international organisation can only take place if the controller or processor has provided appropriate safeguards (article 46, EU GDPR). ‘Appropriate safeguards’ include standard contractual clauses with supplementary measures as appropriate, binding corporate rules and specific derogations.
However, the European Commission has the power to determine whether a third country offers an adequate level of data protection (article 45, EU GDPR). Where a country is found by the European Commission to have an adequate level of data protection, transfers to third country can be made without any safeguard being required. The European Commission maintains a list of adequacy decisions, which is subject to review on a scheduled basis.
In relation to the transferring (exporting) of personal data to a third country that is not identified as adequate by the European Commission, the use of European Commission-issued standard contract clauses (EU SCCs) is the most popular safeguard used by data exporters. In 2021, the European Commission issued updated EU SCCs that replaced earlier versions that pre-dated the introduction of the EU GDPR. The updated EU SCCs provide for transfers from controllers or processors established in the EEA (or otherwise subject to the EU GDPR) to controllers or processors established outside the EEA (and not subject to the GDPR).
In the absence of an adequacy decision or of appropriate safeguards, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only if one of the conditions (derogations), as set out in article 49, EU GDPR, is met.
The EDPB offers guidance on international transfers in accordance with the EU GDPR and guidance on measures to supplement transfer tools. In addition, the European Commission has published a questions and answers document particular to the use of EU SCCs.
The European Data Protection Supervisor (EDPS) also provides guidance on international transfers, including on the requirement to conduct Transfer Impact Assessments (TIAs).
This is a fast-moving area, and it is advisable to check the EDPB website for the latest guidance.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.