In this practical sub-module, small and medium-sized enterprises (users) will be asked for relevant information about the processing of data in their organisations, i.e. the following information: whether they process personal data of clients, employees; whether they process data on natural person’s sex life or sexual orientation religion, health or other sensitive data; whether they use the personal data they collect and store for specified, explicit and legitimate purposes; do they only keep personal data for as long as necessary for the purposes for which they are processed, etc.
Furthermore, users will be able to answer questions to determine whether they are data controllers, processors or joint controllers. It is essential that users identify the role of their organisation/company in data processing activities, as organisations/companies can play all three roles at the same time. For example, at the same time a marketing agency is the data controller for some processing activities, and together with an airline is the joint controller, and data processor for other organisations that have hired it to carry out marketing activities. Users will also be able to complete the questionnaire and answer questions to identify which categories of personal data they process and to determine whether they collect and process sensitive data (special categories of personal data).
Once all the questions have been answered, a report with recommendations for improvements will be generated.
