The measures implemented to protect customer data must be appropriate for the technical, security and organisational levels. Only relevant and adequate personal data shall be processed.
If personal data are stored, this must be limited to what is necessary.
Main Question
Are appropriate measures (technical, security, organizational) in place to protect customer data?
Sub-Questions:
- Are there contractual safeguards to protect and restrict the amount of personal data in the event of outsourcing?
- Is data privacy addressed by using publicly available and well-tested cryptographic methods?
- Is anonymisation, pseudonymisation and de-identification applied where appropriate?
- Is the data processed based on a contract, with the consent of the customer, to comply with legal obligations?
- Is personal data kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is stored?