The DPIA should be carried out "prior to the processing" (Articles 35(1) and 35(10), recitals 90 and 93)[^23]. This is consistent with data protection by design and by default principles (Article 25 and recital 78). The DPIA should be seen as a tool for helping decision-making concerning the processing.

The fact that the DPIA may need to be updated once the processing has actually started is not a valid reason for postponing or not carrying out a DPIA. The DPIA is an on-going process, especially where a processing operation is dynamic and subject to ongoing change. Carrying out a DPIA is a continual process, not a one-time exercise.

The controller is responsible for ensuring that the DPIA is carried out (Article 35(2)). Carrying out the DPIA may be done by someone else, inside or outside the organization, but the controller remains ultimately accountable for that task.

The representative in the Union acts on behalf of the controller or processor it represents with regard to the controller or processor's obligations under the GDPR. This implies notably the obligations relating to the exercise of data subject rights, and in this regard and as already stated, the identity and contact details of the representative must be provided to data subjects in accordance with articles 13 and 14. While not itself responsible for complying with data subject rights, the representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects' rights are effective.

With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication should in principle take place in the language or languages used by the supervisory authorities and the data subjects concerned or, should this result in a disproportionate effort, that other means and techniques shall be used by the representative in order to ensure the effectiveness of communication. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.

Article 27(3) foresees that "the representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are". In cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, the EDPB recommends, as a good practice, that the representative is established in that same Member State. However, the representative must remain easily accessible for data subjects in Member States where it is not established and where the services or goods are being offered or where the behaviour is being monitored.

Data processing carried out by a processor on[^59] behalf of the controller must be subject to sufficient safeguards, in particular in terms of security. The data controller must be aware of the details of the security measures implemented by its processors in order to be able to demonstrate its compliance[^60].

Provide for a contract with the processors[^61], which defines in particular the subject matter, duration, purpose of the processing as well as the obligations of the parties, in particular in terms of security. Ensure that it contains, in particular, provisions setting out:

• the division of responsibilities and obligations relating to the confidentiality of the personal data entrusted;
• minimal user authentication requirements;
• the conditions for the return and destruction of data at the end of the contract;
• the rules for managing and notifying incidents. These should include informing the controller in the event of a discovery of a security breach or incident, and this should be done as soon as possible in the event of a personal data breach[^62];
• assistance to be provided to the processor to ensure compliance with security obligations[^63];
• the regular review of security measures and, where appropriate, the conditions for their revision.

Use cloud services without guarantee as to the actual geographical location of the data and without ensuring legal conditions and any possible formalities for data transfers outside the European Union.

In cases where a CSP processes personal data solely within the EU/EEA, including using only sub-processors in the EU/EEA, you are, in principle, not required to comply with the rules in Chapter V of the GDPR.

As a transfer tool the company has entered into the SCCs with the American university hospital. Additionally, the company has assessed the legislation and practices to which the university hospital is subject and concludes that the university hospital is generally covered by legislation which impedes on the effectiveness of the concluded SCCs. However, in its assessment the company's also finds that the relevant legislation does not apply to data on US citizens. This assessment is supported by a report from a recognised American university.

Firstly, the controller may only use processors that can provide sufficient guarantees to comply with data protection law. In this context, the controller should ask the processor to clearly indicate whether the processor is subject to laws of third countries which – despite the controller's instructions to the contrary – may require the processor to disclose personal data processed in the EU/EEA to authorities in third countries.

The contract should specify the requirements for transfers to third countries or international organisations, taking into account the provisions of Chapter V of the GDPR.

The EDPB recommends that controller pay due attention to this specific point especially when the processor is going to delegate some processing activities to other processors, and when the processor has divisions or units located in third countries. If the instructions by the controller do not allow for transfers or disclosures to third countries, the processor will not be allowed to assign the processing to a sub-processor in a third country, nor will he be allowed to have the data processed in one of his non-EU divisions.

A processor may process data other than on documented instructions of the controller when the processor is required to process and/or transfer personal data on the basis of EU law or Member State law to which the processor is subject. This provision further reveals the importance of carefully negotiating and drafting data processing agreements, as, for example, legal advice may need to be sought by either party as to the existence of any such legal requirement.

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

It should be recalled also that the GDPR provides for the possibility of local oversight in specific cases. See Recital 127: "Each supervisory authority not acting as the lead supervisory authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees' personal data in the specific employment context of a Member State." This principle means that the supervision of HR data connected to the local employment context could fall on several supervisory authorities.

Where processing is carried out by a group of undertakings that has its headquarters in the EEA, the establishment of the undertaking with overall control is presumed to be the decision-making centre relating to the processing of personal data, and will therefore be considered to be the main establishment for the group, except where decisions about the purposes and means of processing are taken by another establishment. The parent, or operational headquarters of the group of undertakings in the EEA, is likely to be the main establishment, because that would be the place of its central administration.

However, the decision system of group of companies could be more complex, giving independent making powers relating to cross-border processing to different establishments. The criteria set out above should help groups of undertakings to identify their main establishment.

In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.'

Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union ("supervisory authority").

Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party ('WP29') encourages these voluntary efforts.

Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively.

The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States.

When a group of participants decide to carry out processing operations with a common purpose, the CNIL recommends to identify beforehand the data controller. For example, the participants may create a legal person in the form of an association or economic interest group. They may also choose to identify one participant who makes decisions for the group and to designate the said participant as a data controller.

Otherwise, all participants could be considered joint controllers, as provided by Article 26 of the GDPR, and must therefore determine, in a transparent way, their respective responsibilities to ensure compliance with the regulation.

Data subjects (i.e. those whose personal data is recorded on the blockchain) must know which entity they can refer to in order to effectively exercise their rights, and data protection authorities must have a contact point who can be held accountable for the processing carried out.