To protect user data, appropriate technical and organizational measures must ensure that data processing meet all requirements of the regulations and protects the rights of the data subject.
A key principle of the General Data Protection Regulation (GDPR) is data minimization: only collect, store and process personal data what is actually needed and relevant for a specific, legitimate purpose (Regulation (EU) 2016/679).
Main Question
Are appropriate measures (technical, security, organizational) in place to protect personal data of data subjects?
Sub-Questions
- Are there contractual safeguards to protect and restrict the amount of personal data in the event of outsourcing?
- Is data privacy addressed by using publicly available and well-tested cryptographic methods?
- Is anonymisation, pseudonymisation and de-identification applied where appropriate?
- Is the data processed based on a contract, with the consent of the user, to comply with legal obligations?
- Is personal data kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is stored?
References
- General Data Protection Regulation (EU) 2016/679. Available at: https://gdpr-info.eu/ (Accessed: 09 December 2025)