Questions about accountability for data processing

The GDPR stipulates that if the AUAS contracts an external party to process personal data, the processing carried out by this processor must be governed by an agreement or otherwise binding legal act.

Read more about the processing agreement, including information on what it should contain and instructions on how to conclude one. A model processing agreement is also available for the AUAS.

If an intended personal data-processing activity is likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) must be performed prior to the processing.

Read more about the DPIA, including information on when it is needed, how to perform it and how to use the AUAS's model DPIA.

To demonstrate its fulfilment of the obligations laid down in the GDPR, the AUAS is required to maintain a register of the processing activities for which the AUAS acts as controller. The register of processing activities is a summary of the most important information about processing activities relating to personal data.

Read more about the register of processing activities.

Published by  Communication 24 October 2022